Professional Documents
Culture Documents
A
VV
ADDISON-WESLEY P U B L I S H I N G COMPANY
Reading, Massachusetts [] Menlo Park, California
London II Amsterdam • Don Mills, Ontario I Sydney
Library of Congress Cataloging in Publication Data
Denning, Dorothy E., (Dorothy Elizabeth), 1945-
Cryptography and data security.
Includes bibliographical references and index.
1. Computers--Access control. 2. Cryptography.
3. Data protection. 1. Title.
QA76.9.A25D46 1 9 8 2 001.64'028'9 81-15012
ISBN 0-201-10150-5 AACR2
1910-1965
Preface
I am thankful to the students who read the book, worked the problems, and
provided numerous comments and suggestions: George Adams, Brian Beuning,
Steve Booth, Steve Breese, Carl Burch, Steve Burton, Ray Ciesielski, Cliff
Cockerham, Ken Dickman, James Dobrina, Dave Eckert, Jeremy Epstein, Tim
Field, Jack Fitch, Jim Fuss, Greg Gardner, Neil Harrison, Ching-Chih Hsiao,
Teemu Kerola, Ron Krol, Meng Lee, Peter Liesenfelt, Paul Morrisett, Tim Nodes,
Bhasker Parthasarathy, Steve Pauley, Alan Pieramico, Steve Raiman, Dan Reed,
David Rutkin, Paul Scherf, Carl Smith, Alan Stanson, Mark Stinson, Andy Tong,
and Kim Tresner. I am especially thankful to Matt Bishop for providing solutions
and for grading.
The working version of the book was prepared on the department's VAX
computer. I am grateful to Doug Comer, Herb Schwetman, and the many others
who kept the system operational and paid careful attention to backup procedures.
I am grateful to the people who helped with the publication of the book, especially
Peter Gordon, Gail Goodell, Cheryl Wurzbacher, and Judith Gimple.
I am especially grateful to my husband, Peter, for his encouragement, sup-
port, advice, and help throughout.
Contents
INTRODUCTION
1.1 Cryptography 1
1.2 Data Security 3
1.3 Cryptographic Systems 7
1.3.1 Public-Key Systems 11
1.3.2 Digital Signatures 14
1.4 Information Theory 16
1.4.1 Entropy and Equivocation 17
1.4.2 Perfect Secrecy 22
1.4.3 Unicity Distance 25
1.5 Complexity Theory 30
1.5.1 Algorithm Complexity 30
1.5.2 Problem Complexity and NP-Completeness 31
1.5.3 Ciphers Based on Computationally Hard Problems 34
1.6 Number Theory 35
1.6.1 Congruences and Modular Arithmetic 36
1.6.2 Computing Inverses 39
1.6.3 Computing in Galois Fields 48
Exercises 54
References 56
ENCRYPTION A L G O R I T H M S 59
2.1 Transposition Ciphers 59
2.2 Simple Substitution Ciphers 62
2.2.1 Single-Letter Frequency Analysis 66
2.3 Homophonic Substitution Ciphers 67
2.3.1 Beale Ciphers 70
ix
CONTENTS
ACCESS C O N T R O L S 191
4.1 Access-Matrix Model 192
4.1.1 The Protection State 192
4.1.2 State Transitions 194
4.1.3 Protection Policies 199
4.2 Access Control Mechanisms 200
4.2.1 Security and Precision 200
4.2.2 Reliability and Sharing 201
4.2.3 Design Principles 206
4.3 Access Hierarchies 207
4.3.1 Privileged Modes 207
4.3.2 Nested Program Units 208
4.4 Authorization Lists 209
4.4.1 Owned Objects 210
4.4.2 Revocation 213
4.5 Capabilities 216
4.5.1 Domain Switching with Protected Entry Points 218
4.5.2 Abstract Data Types 219
4.5.3 Capability-Based Addressing 224
4.5.4 Revocation 227
4.5.5 Locks and Keys 228
4.5.6 Query Modification 230
4.6 Verifiably Secure Systems 231
4.6.1 Security Kernels 232
4.6.2 Levels of Abstraction 235
4.6.3 Verification 236
4.7 Theory of Safe Systems 240
4.7.1 Mono-Operational Systems 241
4.7.2 General Systems 242
4.7.3 Theories for General Systems 245
4.7.4 Take-Grant Systems 248
Exercises 257
References 259
xii CONTENTS
INFERENCE C O N T R O L S 331
6.1 Statistical Database Model 332
6.1.1 Information State 332
6.1.2 Types of Statistics 334
6.1.3 Disclosure of Sensitive Statistics 336
6.1.4 Perfect Secrecy and Protection 339
6.1.5 Complexity of Disclosure 339
6.2 Inference Control Mechanisms 340
6.2.1 Security and Precision 340
CONTENTS xiii
1.1 CRYPTOGRAPHY
Cryptography is the science and study of secret writing. A cipher is a secret meth-
od of writing, whereby plaintext (or cleartext) is transformed into ciphertext
(sometimes called a cryptogram). The process of transforming plaintext into ci-
phertext is called encipherment or encryption; the reverse process of transforming
ciphertext into plaintext is called decipherment or deeryption. Both encipherment
and decipherment are controlled by a cryptographic key or keys (see Figure 1.1).
There are two basic types of ciphers: transpositions and substitutions. Trans-
position ciphers rearrange bits or characters in the data. With a "rail-fence"
cipher, for example, the letters of a plaintext message are written down in a
plaintext key
1
ciphertext
1
2 INTRODUCTION
pattern resembling a rail fence, and then removed by rows. The following illus-
trates this pattern:
DISCONCERTED COMPOSER
D 0 R C O
I C N E T D O P S R
S C E M E
DO RCOICNETDOPS RSCEM E
The key to the cipher is given by the depth of the fence, which in this example is 3.
Substitution ciphers replace bits, characters, or blocks of characters with
substitutes. A simple type of substitution cipher shifts each letter in the English
alphabet forward by K positions (shifts past Z cycle back to A); K is the key to the
cipher. The cipher is often called a Caesar cipher because Julius Caesar used it
with K = 3. The following illustrates Caesar's method:
IMPATIENT WAITER
LPSDWLHQW ZDLWHU .
A code is a special type of substitution cipher that uses a "code book" as the
key. Plaintext words or phrases are entered into the code book together with their
ciphertext substitutes, as shown next"
Word Code
BAKER 1701 LOAFING BAKER
FRETTING 5603
GUITARIST 4008
LOAFING 3790
3790 1701
known. For example, a message describing the location of a buried treasure would
probably contain words such as BURIED, TREASURE, NORTH, T U R N ,
RIGHT, MILES.
Under a known-plaintext attack, a cryptanalyst knows some plaintext-
ciphertext pairs. As an example, suppose an enciphered message transmitted from
a user's terminal to the computer is intercepted by a cryptanalyst who knows that
the message begins with a standard header such as "LOGIN". As another exam-
ple, the cryptanalyst may know that the Department field of a particular record
contains the ciphertext for Physics; indeed, the cryptanalyst may know the De-
partment field of every record in thedatabase. In some cases, knowledge of prob-
able words allows a close approximation to a known-plaintext attack. Encrypted
programs are particularly vulnerable because of the regular appearance of
keywordsue.g, begin, end, var, procedure, if, then. Even if the exact position of
encrypted keywords is unknown, a cryptanalyst may be able to make reasonable
guesses about them. Ciphers today are usually considered acceptable only if they
can withstand a known-plaintext attack under the assumption that the cryptana-
lyst has an arbitrary amount of plaintext-ciphertext pairs.
Under a ehosen-plaintext attack, a cryptanalyst is able to acquire the cipher-
text corresponding to selected plaintext. This is the most favorable case for the
cryptanalyst. A database system may be particularly vulnerable to this type of
attack if users can insert elements into the database, and then observe the changes
in the stored ciphertext. Bayer and Metzger [Baye76] call this the planted record
problem.
Public-key systems (defined in Section 1.3) have introduced a fourth kind of
attack: a chosen-eiphertext attack. Although the plaintext is not likely to be intelli-
gible, the cryptanalyst may be able to use it to deduce the key.
A cipher is unconditionally secure if, no matter how much ciphertext is inter-
cepted, there is not enough information in the ciphertext to determine the plaintext
uniquely. We shall give a formal definition of an unconditionally secure cipher in
Section 1.4. With one exception, all ciphers are breakable given unlimited re-
sources, so we are more interested in ciphers that are computationally infeasible to
break. A cipher is computationally secure, or strong, if it cannot be broken by
systematic analysis with available resources.
The branch of knowledge embodying both cryptography and cryptanalysis is
called eryptology.
Classical cryptography provided secrecy for information sent over channels where
eavesdropping and message interception was possible. The sender selected a cipher
and encryption key, and either gave it directly to the receiver or else sent it indi-
rectly over a slow but secure channel (typically a trusted courier). Messages and
replies were transmitted over the insecure channel in ciphertext (see Figure 1.2).
Classical encryption schemes are described in Chapter 2.
Modern cryptography protects data transmitted over high-speed electronic
4 INTRODUCTION
Sender Receiver
key'
secure key distribution channel
lines or stored in computer systems. There are two principal objectives: secrecy (or
privacy), to prevent the unauthorized disclosure of data; and authenticity or integ-
rity), to prevent the unauthorized modification of data.
Information transmitted over electronic lines is vulnerable to passive wire-
tapping, which threatens secrecy, and to active wiretapping, which threatens au-
thenticity (see Figure 1.3). Passive wiretapping (eavesdropping) refers to the
interception of messages, usually without detection. Although it is normally used
to disclose message contents, in computer networks it can also be used to monitor
traffic flow through the network to determine who is communicating with whom.
Protection against disclosure of message contents is provided by enciphering trans-
formations, which are described in Chapter 2, and by the cryptographic techniques
described in Chapter 3. Protection against traffic flow analysis is provided by
controlling the endpoints of encryption; this is discussed in Chapter 3.
Active wiretapping (tampering) refers to deliberate modifications made to
the message stream. This can be for the purpose of making arbitrary changes to a
message, or of replacing data in a message with replays of data from earlier
messages (e.g., replacing the amount field of a transaction "CREDIT SMITH'S
ACCOUNT WITH $10" with the amount field of an earlier transaction "CRED-
IT JONES'S ACCOUNT WITH $5000"). It can be for the purpose of injecting
false messages, injecting replays of previous messages (e.g., to repeat a credit
transaction), or deleting messages (e.g., to prevent a transaction "DEDUCT
$1000 FROM SMITH'S ACCOUNT"). Encryption protects against message
passive wiretapping
7
active wiretapping
DATA SECURITY 5
Computer system
overwriting
modifying
replaying
P
classified
data
browsing
"'"k__ inserting
confidential
data
FT] deleting
statistic
inference leaking
r
unclassified
user
6 INTRODUCTION
This section describes the general requirements of all cryptographic systems, the
specific properties of public-key encryption, and digital signatures.
A cryptographic system (or cryptosystem for short) has five components:
Secrecy requirements
It should be computationally infeasible for a cryptanalyst to systematically
determine the deciphering transformation DK from intercepted ciphertext C,
even if the corresponding plaintext M is known.
CRYPTOGRAPHIC SYSTEMS
Authenticity requirements
It should be computationally infeasible for a cryptanalyst to systematically
determine the enciphering transformation E g given C, even if the correspond-
ing plaintext M is known.
It should be computationally infeasible for a cryptanalyst to systematically
find ciphertext C' such that DK(C') is valid plaintext in the set M.
protected
M c M
M
10 INTRODUCTION
protected
M~ C
<23 AM/
~disallowed
key) be protected. The transformation DK could be revealed if it does not give away
E x.Figure 1.7 illustrates.
Simmons classifies cryptosystems as symmetric (one-key) and asymmetric
(two-key) [Simm79]. In symmetric or one-key cryptosystems the enciphering and
deciphering keys are the same (or easily determined from each other). Because we
have assumed the general method of encryption is known, this means the transfor-
mations E K and D x are also easily derived from each other. Thus, if both EK and DK
are protected, both secrecy and authenticity are achieved. Secrecy cannot be sepa-
rated from authenticity, however, because making either EK or DK available ex-
poses the other. Thus, all the requirements for both secrecy and authenticity must
hold in one-key systems.
One-key systems provide an excellent way of enciphering users' private files.
Each user A has private transformations E n and D A for enciphering and decipher-
ing files (see Figure 1.8). If other users cannot access E n and Dn, then both the
secrecy and authenticity of A's data is assured.
One-key systems also provide an excellent way of protecting information
transmitted over computer networks. This is the classical information channel
where the sender and receiver share a secret communication key (see Figure 1.2).
If both parties are mutually trustworthy, they can be assured of both the secrecy
and authenticity of their communications.
Until recently, all cryptosystems were one-key systems. Thus, one-key sys-
A' s File
User Encrypted
A Data
CRYPTOGRAPHIC SYSTEMS 11
write-key I
User with
Write Authority
Encrypted
Data
User with
Read Authority
read-key
tems are also usually referred to as conventional (or classical) systems. The DES is
a conventional system.
In asymmetric or two-key cryptosystems the enciphering and deciphering
keys differ in such a way that at least one key is computationally infeasible to
determine from the other. Thus, one of the transformations E K or D K can be re-
vealed without endangering the other.
Secrecy and authenticity are provided by protecting the separate transforma-
tions--D g for secrecy, E K for authenticity. Figure 1.9 illustrates how this principle
can be applied to databases, where some users have read-write authority to the
database, while other users have read authority only. Users with read-write au-
thority are given both D K and E K, so they can decipher data stored in the database
or encipher new data to update the database. If E K cannot be determined from D K,
users with read-only authority can be given D K, so they can decipher the data but
cannot update it. Thus D K is like a read-key, while E K is like a write-key (more
precisely, the deciphering key describing D K is the read-key, and the enciphering
key describing E K the write-key).
Note that this does not prevent a user with read-only authority (or no access
authority) from destroying the data by overwriting the database with nonsense. It
only prevents that user from creating valid ciphertext. To protect the data from
such destruction, the system must be secured by access controls, so that no user
can write into the database without the write-key E K. The system need not, how-
ever, control read access to the data, because the data cannot be deciphered with-
out the read-key D K.
public private
M M
A B
DB(C) = D B ( E s ( M ) ) = M .
(See Figure 1.10.) The preceding scheme does not provide authenticity because
any user with access to B's public transformation could substitute another message
M' for M by replacing C with C' = E s ( M ' ).
For authenticity, M must be transformed by A's own private transformation
DA. Ignoring secrecy for the moment, A sends C = DA(M ) to B. On receipt, B uses
A's public transformation E A to compute
EA(C) = EA(DA(M) ) = M.
(See Figure 1.11.) Authenticity is provided because only A can apply the transfor-
mation DA. Secrecy is not provided because any user with access to A's public
transformation can recover M.
Now, we had previously defined a transformation DA as a function from the
ciphertext space C to the message space M. To apply DA to plaintext messages, DA
must instead map M to C. Furthermore, to restore the original message, E a must
be the inverse of DA; that is, E A must be a function from C to M such that
EA(DA(M )) = M.
To use a public-key system for both secrecy and authenticity, the ciphertext
space C must be equivalent to the plaintext space ~//so that any pair of transforma-
tions E A and DA can operate on both plaintext and ciphertext messages. Further-
more, both E A and DA must be m u t u a l inverses so that E A ( D A ( M ) )
= DA(EA(M) ) = M. These requirements are summarized in Table 1.1.
private public
M ==-===~ M
A B
CRYPTOGRAPHIC SYSTEMS 13
To achieve both secrecy and authenticity, the sender and receiver must each
apply two sets of transformations. Suppose A wishes to send a message M to B.
First A's private transformation DA is applied. Then A enciphers the result using
B's public enciphering transformation E e, and transmits the doubly transformed
message C = Es(DA(M)) to B. B recovers M by first applying B's own private
deciphering transformation DB, and then applying A's public transformation EA to
validate its authenticity, getting
EA(DB(C)) = EA(DB(EB(DA(M)))
= EA(DA(M))
=M.
M M
secrecy
authenticity
14 INTRODUCTION
control information such as the time of day when entrance is permitted. The
information is encrypted under the private key of the central authority issuing the
card. The corresponding public key is distributed to all areas where entry is con-
trolled. The individual enters the restricted area through a special facility where
the identifying information is taken and checked against the information stored on
the individual's card.
A digital signature is a property private to a user or process that is used for signing
messages. Let B be the recipient of a message M signed by A. Then A's signature
must satisfy these requirements:
The monitor must be certain the information reported back has originated
from the observatory and has not been tampered with by the host; thus both
sender and data authenticity are essential.
The host nation must be certain the information channel is not being used for
other purposes; thus it must be able to read all messages transmitted from
the observatory.
Neither the monitor nor the host should be able to create false messages that
appear to have originated from the observatory. If a dispute arises between
the monitor and host about the authenticity of a message, a third party (e.g.,
the United Nations or NATO) must be able to resolve the dispute.
by some authority. Note that these applications do not require a method of resolv-
ing disputes. They could, therefore, be implemented in a conventional system,
where the sender and receiver share a common key.
noise
M M'
channel
sender receiver
INFORMATION THEORY 17
received message M' to ciphertext. Although the role of the cryptanalyst is similar
to the role of the receiver in the noisy channel problem, the role of the sender is
quite different because the objective is to make message recovery infeasible. (See
[Simm79] for more discussion of this.)
Example:
Suppose there are two possibilities: Male and Female, both equally likely;
thus p(Male) = p(Female) = 1/2. Then
1 1
H(X) = ~(log2 2) + ~(log2 2)
1 1
=~-b~= 1,
Intuitively, each term log2 (1/p(X)) in Eq. (1.1) represents the number of
bits needed to encode message X in an optimal encoding--that is, one which
minimizes the expected number of bits transmitted over the channel. The weighted
average H(X) gives the expected number of bits in optimally encoded messages.
Because lip(X) decreases as p(X) increases, an optimal encoding uses short
codes for frequently occurring messages at the expense of using longer ones for
infrequent messages. This principle is applied in Morse code, where the most
frequently used letters are assigned the shortest codes.
"Huffman codes" [Huff52] are optimal codes assigned to characters, words,
machine instructions, or phrases. Single-character Huffman codes are frequently
used to compact large files. This is done by first scanning the file to determine the
frequency distribution of the ASCII characters, next finding the optimal encoding
of the characters, and finally replacing each character with its code. The codes are
stored in a table at the beginning of the file, so the original text can be recovered.
By encoding longer sequences of characters, the text can be compacted even fur-
ther, but the storage requirements for the table are increased. A character encod-
ing of the text file for this chapter using the Compactprogram on U N I X t reduced
its storage requirements by 38%, which is typical for text files.~: Machines with
variable-length instruction sets use Huffman codes to assign short codes to fre-
quently used instructions (e.g., LOAD, STORE, B R A N C H ) .
The following examples further illustrate the application of Eq. (1.1) to
determine the information content of a message.
Example:
Let n = 3, and let the 3 messages be the letters A, B, and C, where p(A)
= 1/2 and p(B) = p(C) = 1/4. Then
logz( p(A)
1 ) =1°g22= 1
log2( p(B)
1 ) =l°gz4=2
log2( p(C)
1 ) = log2 4 = 2,
and
H ( X ) = (½)log2 2 + 2[(¼)1og2 4] =0.5+ 1.0= 1.5 .
AB AAC AB C
0 10 0 0 11 0 10 11
The average number of bits per letter is 12/8 = 1.5.
The preceding encoding is optimal; the expected number of bits per
letter would be at least 1.5 with any other encoding. Note that B, for exam-
ple, cannot be encoded with the single bit 1, because it would then be impos-
sible to decode the bit sequence 11 (it could be either BB or C). Morse code
avoids this problem by separating letters with spaces. Because spaces
(blanks) must be encoded in computer applications, this approach in the long
run requires more storage, m
Example:
Suppose all messages are equally likely; that is, p(Xi) = 1In for i = 1. . . . , n.
Then
H ( X ) = n[(-~)log2 n] = logz n.
Thus, log2 n bits are needed to encode each message. For n = 2 k, H(X) = k
and k bits are needed to encode each possible message, m
Example:
Let n = 1 and p(X) = 1. Then H(X) = log2 1 = 0. There is no information
because there is no choice, m
Given n, H(X) is maximal for p(X1) = . . . = p(X,,) = 1/n; that is, when all
messages are equally likely (see exercises at end of chapter). H(X) decreases as
the distribution of messages becomes more and more skewed, reaching a minimum
of H(X) = 0 when p(X,.) - 1 for some message X,.. As an example, suppose X
represents a 32-bit integer variable. Then X can have at most 32 bits of informa-
tion. If small values of X are more likely than larger ones (as is typical in most
programs), then H(X) will be less than 32, and if the exact value of X is known,
H(X) will be 0.
The entropy of a message measures its uncertainty in that it gives the num-
ber of bits of information that must be learned when the message has been distort-
ed by a noisy channel or hidden in ciphertext. For example, if a cryptanalyst
knows the ciphertext block " Z $ J P 7 K " corresponds to either the plaintext
" M A L E " or the plaintext " F E M A L E " , the uncertainty is only one bit. The crypt-
analyst need only determine one character, say the first, and because there are
only two possibilities for that character, only the distinguishing bit of that charac-
ter need be determined. If it is known that the block corresponds to a salary, then
the uncertainty is more than one bit, but it can be no more than log2 n bits, where n
is the number of possible salaries.
Public-key systems used for secrecy only are vulnerable to a ciphertext-only
20 INTRODUCTION
attack if there is not enough uncertainty in the plaintext. To see why, consider a
ciphertext C = EA(M), where E4 is a public enciphering transformation and M is
a plaintext message in a set of n possible messages M1 . . . . , M,. Even if it is
computationally infeasible to determine the private deciphering transformation
DA, it may be possible to determine M by computing Ci = EA(Mi) for i = 1, 2, . . .
until C = Ci, whence M = M i. This type of attack would work, for example, if M is
known to be an integer salary less than $100,000 because there would be at most
100,000 messages to try. The attack can be prevented by appending a random bit
string to a short message M before enciphering; this string would be discarded on
deciphering. Of course, if a u t h e n t i c i t y is used with s e c r e c y - - t h a t is, C
= EA(DB(M )), the cryptanalyst, lacking DB, cannot search the plaintext space this
way. Conventional systems are not vulnerable to this attack because the encipher-
ing (and deciphering) key is secret.
For a given language, consider the set of all messages N characters long. The
rate of the language for messages of length N is defined by r = H(X)/N; that is,
the average number of bits of information in each character. For large N, esti-
mates of r for English range from 1.0 bits/letter to 1.5 bits/letter. The absolute
rate of the language is defined to be the maximum number of bits of information
that could be encoded in each character assuming all possible sequences of charac-
ters are equally likely. If there are L characters in the language, then the absolute
rate is given by R = log2 L, the maximum entropy of the individual characters. For
English, R = log2 26 = 4.7 bits/letter. The actual rate of English is thus consider-
ably less than its absolute rate. The reason is that English, like all natural lan-
guages, is highly redundant. For example, the phrase "occurring frequently" could
be reduced by 58% to "crng frq" without loss of information. By deleting vowels
and double letters, mst ids cn b xprsd n fwr ltrs, bt th xprnc s mst nplsnt.
Redundancy arises from the structure of the language. It is reflected in the
statistical properties of English language messages in the following ways
[Shan51 ]"
Example:
Let n = 4 and p(X) = 1/4 for each message X; thus H(X) = log2 4 = 2.
Similarly, let m = 4 and p(Y) = 1/4 for each message Y. Now, s, lppose each
message Y narrows the choice of X to two of the four messages as shown
next, where both messages are equally likely:
Y,: X~ or X~, Y~: X~ or X3
Y3:X3 or X4, Y 4 : X 4or X, .
Then for each Y, py(X) = 1/2 for two of the X's and py(X) = 0 for the
remaining two X's. Using Eq. (1.2b), the equivocation is thus
22 INTRODUCTION
PM(C) = E p(K)
K
EK(M) = C
Usually there is at most one key K such that EK(M ) = C for given M and C, but
some ciphers can transform the same plaintext into the same ciphertext under
different keys.
A necessary and sufficient condition for perfect secrecy is that for every C,
This means the probability of receiving a particular ciphertext C given that M was
sent (enciphered under some key) is the same as the probability of receiving C
given that some other message M' was sent (enciphered under a different key).
Perfect secrecy is possible using completely random keys at least as long as the
messages they encipher. Figure 1.14 illustrates a perfect system with four
messages, all equally likely, and four keys, also equally likely. Here Pc(M) =
P(M) = 1/4, and PM(C) = p(C) = 1/4 for all M and C. A cryptanalyst
intercepting one of the ciphertext messages C1, C2, G, or C4 would have no way of
INFORMATION THEORY 23
Key
Mi ... 1. C1
4,
C2
M3 1 C3
M4 3 .....~ C4
plaintext ciphertext
messages messages
determining which of the four keys was used and, therefore, whether the correct
message is M~, M2, Ms, or M4.
Perfect secrecy requires that the number of keys must be at least as great as
the number of possible messages. Otherwise there would be some message M such
that for a given C, no K deciphers C into M, implying Pc(M) = 0. The cryptana-
lyst could thereby eliminate certain possible plaintext messages from consider-
ation, increasing the chances of breaking the cipher.
Example:
Suppose the 31-character ciphertext
C = LZWJWAKFGGLZWJDSFYMSYWTMLXJWFUZ
was produced by a Caesar cipher (see Section 1.1), where each letter in the
alphabet is shifted forward by K positions, 0 _< K _< 25. Because the number
of possible keys is smaller than the number of possible English sentences of
length 31, perfect secrecy is not achieved. The cipher is easily broken by
trying all 26 keys as shown in Figure 1.15. The plaintext message is
24 INTRODUCTION
Key Message
0: LZWJWAKFGGLZWJ DS FYMSYWTMLXJWFUZ
1: KYV I VZJ EFFKYV I CREXLRXV'S LKWI VETY
2: JXUHUY I DEEJXUHBQDWKQWURKJ VHUDSX
3: IWTGTXHCDD IWTGAPCV J PVTQJ I UGTCRW
4: HVS FSWGBCCHVS FZOBU I OUS P I HTFSBQV
5: GURERVFABBGUREYNATHNTROHGSERAPU
6: FTQDQUEZAAFTQDXMZSGMSQNGFRDQZOT
7: ESPCPTDYZZES PCWLYRFLRPMFEQCPYNS
8: DROBOSCXYYDROBVKXQEKQOLEDPBOXMR
9: CQNANRBWXXCQNAUJWPDJ PNKDCOANWLQ
10: BPMZMQAVWWBPMZT I VOC I OMJCBNZMVKP
11: AOLYLPZUVVAOLYSHUNBHNL I BAMYLUJO
12: ZNKXKOYTUUZNKXRGTMAGMKHAZLXKT IN
13: YMJWJNXSTTYMJWQFSLZFL JGZYKWJ SHM
14: XL I V IMWRSSXL I VPERKYEK I FYXJV I RGL
15: WKHUHLVQRRWKHUODQJXDJHEXWI UHQFK
16: VJGTGKUPQQVJGTNCP IWC I GDWVHTGPE J
17: U I FS F JTOPPU I FSMBOHVBHFCVUGS FOD I
18: THERE I SNOOTHERLANGUAGEBUTFRENCH
19: SGDQDHRMNNSGDQKZMF T Z FDAT S EQDMBG
20: RFCPCGQLMMRFCP JYLESYECZSRDPCLAF
21: QEBOBFPKLLQEBO I XKDRXDBYRQCOBKZE
22: PDANAEOJ KKPDANHWJ CQWCAXQPBNAJYD
23: OCZMZDN I J J OCZMGV I B PVBZWPOAMZ I XC
24: NBYLYCMH I I NBYL FUHAOUAYVONZLYHWB
25: MAXKX B LGHHMAXKE TGZNT ZXUNMYKXGVA
M = T H E R E IS N O O T H E R L A N G U A G E B U T F R E N C H . t
pc(M) = 1
Pc(M') = 0, for every other message M '
1
PM(C) = p ( 1 8 ) - 2 6
PM,(C) = 0, for every other message M ' . II
Example:
W i t h a slight modification to the preceding scheme, we can create a cipher
having perfect secrecy. The trick is to shift each letter by a r a n d o m amount.
Specifically, K is given by a s t r e a m klk2 . . . . where each k i is a r a n d o m
integer in the range [0, 25] giving the amount of shift for the ith letter. Then
the 31-character ciphertext C in the preceding example could correspond to
any valid 31-character message, because each possible plaintext message is
derived by some key stream. For example, the plaintext message
THIS SPECIES HAS ALWAYS BEEN EXTINCT.]"
is derived by the key stream
18, 18, 14, 17, 4 , . . . .
Though most of the 31-character possible plaintext messages can be ruled
out as not being valid English, this much is known even without the cipher-
text. Perfect secrecy is achieved because interception of the ciphertext does
not reveal anything new about the plaintext message.
The key stream must not repeat or be used to encipher another
message. Otherwise, it may be possible to break the cipher by correlating
two ciphertexts enciphered under the same portion of the stream (see
Section 2.4.4). m
A cipher using a nonrepeating random key stream such as the one described
in the preceding example is called a one-time pad. One-time pads are the only
ciphers that achieve perfect secrecy. Implementation of one-time pads and ap-
proximations to one-time pads is studied in Chapters 2 and 3.
Shannon measured the secrecy of a cipher in terms of the key equivocation Hc(K)
of a key K for a given ciphertext C; that is, the amount of uncertainty in K given C.
From Eq. (1.2b), this is
mate it for certain ciphers using a random cipher model. Hellman [Hell77] also
derived Shannon's result using a slightly different approach.
Following Hellman, we assume each plaintext and ciphertext message comes
from a finite alphabet of L symbols. Thus there are 2 nN possible messages of
length N, where R = log2 L is the absolute rate of the language. The 2 nN messages
are partitioned into two subsets: a set of 2 rN meaningful messages and a set of 2 RN
- 2 rN meaningless messages, where r is the rate of the language. All meaningful
messages are assumed to have the same prior probability 1/2 "N = 2 -rN, while all
meaningless messages are assumed to have probability 0.
We also assume there are 2H(K)keys, all equally likely, where H ( K ) is the key
entropy (number of bits in the key). The prior probability of all keys is p ( K )
= 1/2H(K)= 2-H(K).
A random cipher is one in which for each key K and ciphertext C, the
decipherment DK(C ) is an independent random variable uniformly distributed over
all 2 RN messages, both meaningful and not. Intuitively, this means that for a given
K and C, DK(C ) is as likely to produce one plaintext message as any other. Actual-
ly the decipherments are not completely independent because a given key must
uniquely encipher a given message, whence DK(C ) ~ DK(C' ) for C ~ C'.
C1
M]'~2 1
2
C2
1
2 rN
meaningful
messages C3
2
C4
2RN
o 2
C5 ciphertext
messages
C6
2 R N _ 2 rN C7
meaningless
messages
INFORMATION THEORY 27
2 (r-R)N = 2-ON,
N- H(K)
D (1.4)
and the cipher is theoretically unbreakable. This is the principle behind the one-
time pad.
Example:
Consider the DES, which enciphers 64-bit blocks (8 characters) using 56-bit
keys. The DES is a reasonably close approximation to the random cipher
model. Figure 1.17 shows F as a function of N for English language mes-
sages, where H ( K ) = 56 and D = 3.2 in Eq. (1.3). The unicity distance is
thus
56
N n - 17.5 characters,
3.2
or a little over two blocks. Doubling the key size to 112 bits would double the
unicity distance to 35 characters. I
28 INTRODUCTION
56
50
r-q
o 45
o 40
35
o 30
E
=
7
25
20
X
0
15
E
10
©
Unicity Point
5
I I I N¢ I
0 5 10 15 17.5 20
N
Length of Ciphertext
Example:
Consider a simple substitution cipher that shifts every letter in the alphabet
forward by K positions, 0 ~ K _< 25. Then H(K) = log226 = 4.7 and the
unicity distance is
4.7
N- - 1.5 characters.
3.2
This estimate does not seem plausible, however, because no substitution
cipher can be solved with just one or two characters of ciphertext. There are
two problems with the approximation. First, the estimate D = 3.2 applies
only to reasonable long messages. Second, the cipher is a poor approximation
to the random cipher model. This is because most ciphertexts are not pro-
duced by meaningful messages (e.g., the ciphertext QQQQ is produced only
by the meaningless messages A A A A , B BBB . . . . . ZZZZ), whence the deci-
pherments are not uniformly distributed over the entire message space. Nev-
ertheless, shifted ciphers can generally be solved with just a few characters of
ciphertext. II
INFORMATION THEORY 29
• °
9 462083
The reason the cipher cannot be solved is that the language has no redundancy;
every digit counts.
Because of the inherent redundancy of natural languages, many ciphers can
be solved by statistical analysis of the ciphertext. These techniques use frequency
distributions of letters and sequences of letters, ciphertext repetitions, and prob-
able words. Although a full discussion of these techniques is beyond the scope of
this book, Chapter 2 describes how a few simple ciphers can be broken using
frequency distributions. (For more depth in this area, see [Konh81 ].)
Protection against statistical analysis can be provided by several means. One
way, suggested by Shannon, is by removing some of the redundancy of the lan-
30 INTRODUCTION
guage before encryption. In computer systems, for example, Huffman codes could
be used to remove redundancy by compressing a file before encryption.
Shannon also proposed two encryption techniques to thwart attacks based on
statistical analysis: confusion and diffusion. Confusion involves substitutions that
make the relationship between the key and ciphertext as complex as possible.
Diffusion involves transformations that dissipate the statistical properties of
the plaintext across the ciphertext. Many modern ciphers such as the DES and
public-key schemes provide confusion and diffusion through complex enciphering
transformations over large blocks of data. These ciphers can also be operated in
a "chaining mode", where each ciphertext block is functionally dependent on
all preceding blocks; this diffuses the plaintext across the entire ciphertext (see
Chapter 3).
Number of operations
Class Complexity for n = 10 ~ Real time
Polynomial
Constant O(1) 1 1 #sec
Linear O(n) 10G 1 second
Quadratic O(n2) 10TM 10 days
Cubic O(n3) 10TM 27,397 years
Exponential O(2 n) 10301030 10301016years
how the time and space requirements grow as the size of the input increases. For
example, if T = O(n2), doubling the size of the input quadruples the running time.
It is customary to classify algorithms by their time (or space) complexities.
An algorithm is polynomial (more precisely, polynomial time) if its running time is
given by T = O(n t) for some constant t; it is constant if t = 0, linear if t = 1,
quadratic if t = 2, and so forth. It is exponential if T = O(th(n)) for constant t and
polynomial h(n).
For large n, the complexity of an algorithm can make an enormous differ-
ence. For example, consider a machine capable of performing one instruction per
microsecond (~tsec); this is 106 instructions per second, or 8.64 × 101° instructions
per day. Table 1.2 shows the running times of different classes of algorithms for n
= l06, where we have ignored all constants and rounded to 1011 instructions per
day. At T = O(n 3) execution of the algorithm becomes computationally infeasible
on a sequential machine. It is conceivable, however, that a configuration with 1
million processors could complete the computation in about 10 days. For T
= 0(2,) execution of the algorithm is computationally infeasible even if we could
have trillions of processors working in parallel.
Many ciphers can be solved by exhaustively searching the entire key space,
trying each possible key to ascertain whether it deciphers into meaningful plain-
text or some known plaintext. If n = 2H(K) is the size of the key space, then the
running time of this strategy is T = O(n) = O(2H(K)). Thus, the time is linear in
the number of keys, but exponential in the key length. This is why doubling the
length of the keys used for DES from 56 bits to t12 bits can have a dramatic
impact on the difficulty of breaking the cipher, even though it increases the unicity
distance only by a factor of 2.
Complexity theory classifies a problem according to the minimum time and space
needed to solve the hardest instances of the problem on a Turing Machine (or
some other abstract model of computation). A Turing Machine (TM) is a finite
state machine with an infinite read-write tape (e.g., see [Gare79,Aho74,Mins67]
or the description in Section 4.7.2 for details). A TM is a "realistic" model of
32 INTRODUCTION
EXPTIME
PSPACE - Complete
-
PSPACE
NP- / ~ J CoNP-
Complete \ Complete
\ .,"
NP f ~ CoNP
NPNCoNP
COMPLEXITY THEORY 33
t The integers represent rod lengths, and the problem is to find a subset of rods that exactly fits
a one-dimensional knapsack of length n.
34 INTRODUCTION
solution exists," whereas the complementary problems in CoNP are of the form
"show there are no solutions." It is not known whether NP = CoNP, but there are
problems that fall in the intersection NP n CoNP. An example of such a problem
is the "composite numbers problem": given an integer n, determine whether n is
composite (i.e., there exist factors p and q such that n = pq) or prime (i.e., there
are no such factors). The problem of finding factors, however, may be harder than
showing their existence.
The class PSPACE consists of those problems solvable in polynomial space,
but not necessarily polynomial time. It includes NP and CoNP, but there are
problems in PSPACE that are thought by some to be harder than problems in NP
and CoNP. The PSPACE-complete problems have the property that if any one of
them is in NP, then PSPACE = NP, or if any one is in P, then PSPACE = P. The
class EXPTIME consists of those problems solvable in exponential time, and in-
cludes PSPACE. The interested reader is referred to [Gare79,Aho74] for a more
complete treatment of complexity theory.
In their 1976 paper, Diffie and Hellman [Diff76] suggested applying computa-
tional complexity to the design of encryption algorithms. They noted that NP-
complete problems might make excellent candidates for ciphers because they
cannot be solved in polynomial time by any known techniques. Problems that are
computationally more difficult than the problems in NP are not suitable for en-
cryption because the enciphering and deciphering transformations must be fast
(i.e., computable in polynomial time). But this means the cryptanalyst could guess
a key and check the solution in polynomial time (e.g., by enciphering known
plaintext). Thus, the cryptanalytic effort to break any polynomial-time encryption
algorithm must be in NP.
Diffie and Hellman speculated that cryptography could draw from the the-
ory of NP complexity by examining ways in which NP-complete problems could
be adapted to cryptographic use. Information could be enciphered by encoding it
in an NP-complete problem in such a way that breaking the cipher would require
solving the problem in the usual way. With the deciphering key, however, a short-
cut solution would be possible.
To construct such a cipher, secret "trapdoor" information is inserted into a
computationally hard problem that involves inverting a one-way function. A func-
tion f is a one-way function if it is easy to compute f(x) for any x in the domain of
f, while, for almost all y in the range of f, it is computationally infeasible to
compute f - l ( y ) even i f f is known. It is a trapdoor one-way function if it is easy to
compute f-~ given certain additional information. This additional information is
the secret deciphering key.
Public-key systems are based on this principle. The trapdoor knapsack
schemes described in Section 2.8 are based on the knapsack problem. The RSA
scheme described in Section 2.7 is based on factoring composite numbers.
NUMBER THEORY 35
Lempel [Lemp79] illustrates the first deficiency with a block cipher for
which the problem of finding an n-bit key is NP-complete when the plaintext
corresponding to one block of ciphertext is known. But given enough known plain-
text, the problem reduces to solving n linear equations in n unknowns. The cipher
is described in Section 2.8.4.
Shamir [Sham79] proposes a new complexity measure to deal with the sec-
ond difficulty. Given a fraction r such that 0 ~ r ~ 1, the percentile complexity
T(n, r) of a problem measures the time to solve the easiest proportion r of the
problem instances of size n. For example, T(n, 0.5) gives the median complexity;
that is, at least half of the instances of size n can be solved within time T(n, 0.5).
The problem of deciding whether a given integer is prime has median complexity
O(1) because half of the numbers have 2 as a factor, and this can be tested in
constant time.
With respect to the third difficulty, Brassard [Bras79b] shows it may not be
possible to prove that the cryptanalytic effort to invert a trapdoor one-way func-
tion is NP-complete. If the function satisfies a few restrictions, then a proof of NP-
completeness would imply NP = CoNP.
This section summarizes the concepts of number theory needed to understand the
cryptographic techniques described in Chapters 2 and 3. Because we are primarily
interested in the properties of modular arithmetic rather than congruences in gen-
eral, we shall review the basic theorems of number theory in terms of modular
arithmetic, emphasizing their computational aspects. We shall give proofs of these
fascinating theorems for the benefit of readers unfamiliar with them. Readers
36 INTRODUCTION
familiar with these results can go on to the next chapter. For a comprehensive
treatment of this material, see, for example [LeVe77,Nive72,Vino55].
a~nb
if and only if
a-b=kn
n l(a - b) .
a mod n
to denote the residue r of a modulo n in the range [0, n - 1]. For example, 7 mod 3
= 1. Clearly,
~fWe shall reserve the more familiar notation using "mod n" for modular arithmetic.
NUMBER THEORY 37
homomorphism from the ring of integers to the ring of integers mod n as shown
next:
Theorem 1.1. Principle of modular arithmetic:
Let a~ and a2 be integers, and let op be one of the binary operators +, - , or *.
Then reduction rood n is a homomorphism from the integers to the integers
rood n (see Figure 1.19); that is,
(a~ op a2) mod n = [(al mod n) op (a2 mod n)] rood n.
Proof"
We can write
a~ = kxn + r~
az = k2n + rz
where r~, r2 e [0, n - 1]. For addition, we have
(a~ + a2) mod n = [(k~n + r~) + (kzn + rz)] mod n
= [(k~ + k2)n + (r, + rz)] mod n
= [r~ + r2] mod n
= [ ( a 1 mod n) + (az mod n)] mod n .
Integers I n t e g e r s m o d ~1
reduction rood n
a1 a2 ,, "~ (a 1 m o d n) (a 2 rood n)
op op
Example:
The following illustrates how this principle is applied to check the result of a
computation (135273 + 261909 + 522044):
Integer Mod 9
Arithmetic Arithmetic
135273 3
261909 0
+522044 +8
919226 ~ 2. II
Note that the principle of modular arithmetic also applies to exponentiations
of the form e t, where 0 .~ t _< n - 1; that is, computing e t in mod n arithmetic is
equivalent to computing e t and reducing the result mod n. This is because exponen-
tiation is equivalent to repeated multiplications:
t
e tmodn =[rI (emodn)] modn.
i=1
Example:
Consider the expression
35 mod 7.
This can be computed by raising 3 to the power 5 and then reducing the
result mod 7 as shown next:
1. Square 3: 3 • 3 = 9
2. Square the result: 9 • 9 = 81
3. Multiply by 3: 81 • 3 = 243
4. Reduce mod 7: 243 mod 7 = 5,
where we have used the method of repeated squaring and multiplication to
reduce the number of multiplications. Alternatively, the intermediate results
of the computation can be reduced mod 7 as shown next:
1. Square 3: 3 * 3 mod 7 = 2
2. Square the result: 2,2mod7=4
3. Multiply by 3: 4 • 3 mod 7 = 5. II
If t >_ n, reducing t mod n may not give the same result; that is, ( e t mod n) mod n
may not equal e I mod n. For example, (25 mod 3) mod 3 = 1, but 25 mod 3 = 2.
Computing in modular arithmetic has the advantage of restricting the range
of the intermediate values. For a k-bit modulus n (i.e., 2 k-1 _< n < 2k), the value
of any addition, subtraction, or multiplication will be at most 2k bits. This means
that we can, for example, perform exponentiations of the form a : mod n using
large numbers without generating enormous intermediate results.
Because some of the encryption algorithms discussed later in this book are
NUMBER THEORY 39
Algorithm f a s t e x p (a, z, n)
where k = l_logzzJ is the length of z in bits ("1_ _1" denotes the floor--i.e., round
down to nearest integer); this is linear in the length of z. The expected number of
multiplications for all z of length k is 1.5k + 1. By comparison, a naive algorithm
performs z - 1 multiplications, which is exponential in the length of z.
ax mod n = 1 .
For example, 3 and 7 are multiplicative inverses mod 10 b e c a u s e 21 rood 10 = 1. It
is this capability to c o m p u t e inverses t h a t m a k e s m o d u l a r a r i t h m e t i c so a p p e a l i n g
in c r y p t o g r a p h i c applications.
We will now show t h a t given a e [0, n - 1], a has a u n i q u e inverse m o d n
when a and n are relatively prime; t h a t is w h e n gcd(a, n) = 1, w h e r e "gcd"
denotes the g r e a t e s t c o m m o n divisor. We first prove the following l e m m a :
Lemma 1.1:
Ifgcd(a, n) = 1, then (ai m o d n) ~ (aj m o d n) for each i, j such t h a t 0 _< i
<j<n.
Proof"
A s s u m e the c o n t r a r y . T h e n n la(i - j). Since gcd(a, n) = 1, (i - j )
m u s t be a m u l t i p l e of n. But this is impossible because both i a n d j are
smaller t h a n n. 1
3 • 0 mod 5 = 0
3 • 1 mod 5 = 3
3 • 2 mod 5 = 1
3 • 3 mod 5 = 4
3.4mod5=2.
2 • 0 mod 4 = 0
2 • 1 mod 4 = 2
2 • 2 mod 4 = 0
2.3mod4=2.
Theorem 1.2:
If gcd(a, n) = 1, then there exists an integer x, 0 < x < n, such t h a t ax
rood n = 1.
eroo~
Because the set {ai mod n}i=0. . . . . n--1 is a p e r m u t a t i o n of {0, 1 . . . . .
n -1}, x = i, w h e r e ai mod n = 1, is a solution. I
T h e o r e m 1.2 shows the existence of an inverse, but does not give an a l g o r i t h m for
finding it. We shall now review some a d d i t i o n a l properties of c o n g r u e n c e s r e l a t e d
NUMBER THEORY 41
to reduced residues and the Euler totient function, showing how these properties
lead to the construction of an algorithm for computing inverses.
The reduced set of residues mod n is the subset of residues {0 . . . . , n - 1}
relatively prime to n.? For example, the reduced set of residues mod 10 is {1, 3, 7,
9}. If n is prime, the reduced set of residues is the set of n - 1 elements {1, 2, . . . ,
n - 1}; that is, it is the complete set of residues except for 0. Note that 0 is never
included in the reduced set of residues.
The Euler totient function 4~(n) is the number of elements in the reduced set
of residues modulo n. Equivalently, 4~(n) is the number of positive integers less
than n that are relatively prime to n.
For a given modulus n, let {rl, . . . , r,~(n)} be the reduced set of residues. The
reduced set of residues has the property that every integer relatively prime to n is
congruent modulo n to some m e m b e r rj of the set. Thus if gcd(a, n) = 1 for some
integer a, then for each ri[1 .~ i ~ 4~(n)], gcd(ar i, n) = 1 and ar i mod n = rj for
some rj. By the same reasoning as for a complete set of residues, the set {ar i rood
n}i=a ..... 4,(n) is, therefore, a permutation of { r l , . . . , r4,(n)}.
For prime p, the number of integers less than p that are relatively prime to p
is trivially given by 4~(P) = P - 1. For the product of two primes p and q we have:
Theorem 1.3:
For n = pq and p, q prime,
4~(n) = ~b(p)th(q) = (p - 1) (q - 1 ) .
Proof:
Consider the complete set of residues modulo n: {0, 1, . . . , pq - 1}. All
of these residues are relatively prime to n except for the p - 1 elements
{q, 2q, . . . . (p - 1)q}, the q - 1 elements ~p, 2 p , . . . , (q - 1)p}, and 0.
Therefore,
ch(n)=pq- [(p- 1) + ( q - 1) + 1] = p q - p - q + 1
=(p- 1 ) ( q - 1). m
Example:
Letp= 3andq= 5. Then 4>(15) = ( 3 - 1 ) ( 5 - 1) = 2 , 4 = 8 , andthere
are 8 elements in the reduced set of residues modulo 15" {1, 2, 4, 7, 8, 11, 13,
14}. m
t Strictly speaking, any complete set of residues relatively prime to n is a reduced set of residues;
here we are only interested in the set of residues in the range [1, n - 1].
42 INTRODUCTION
el e2 el
n = PiP2 "''Pt
is the prime factorization of n (i.e., the Pi are distinct primes, and e/gives the
number of occurrences of Pi).
Example:
Forn= 24 = 2331,
4~(24) = 2 2 ( 2 - 1 ) 3 ° ( 3 - 1) = 8;
the reduced set of residues is{l, 5, 7, 11, 13, 17, 19, 23}. I
eroorf "
Let ~trl, . . . , r~(,)} be the reduced set of residues modulo n such that
0 < r i < n for 1 ~ i ~ 4~(n). Then {arl mod n . . . . . ar,(,) mod n} is a
permutation o f { r l , . . . , r44n)}. Therefore,
4)(n) 4)(n)
I I (ari mod n) = I-I ri
i=1 i=1
giving
4~(n) q~(n)
(a~(.) mod n) I"I ri = I'~ ri,
i=l i=l
Example:
Leta= 3andn= 7. Then
x = 35 mod 7 ,
Example:
The following illustrates the execution of the algorithm to solve the equation
"3x mod 7 = 1":
i gi ui vi Y
0 7 1 0
1 3 0 1 2
2 1 -1 -2 3
3 0
Note that the implementation of the algorithm can use three local variables:
glast, g, and g n e x t to represent gi-1, gi, and gi+~, respectively, for all i (similarly for
v). Note also that the variable u is not essential to the computation and, therefore,
can be omitted. We have presented the algorithm in the preceding form for clarity.
The algorithm is easily extended to find solutions to general equations
a x mod n = b
when gcd(a, n) = 1. First, the solution x0 to " a x mod n = 1" is found. Now
whence
x = bxo mod n
44 INTRODUCTION
FIGURE 1.21 Euclid's algorithm for computing the greatest common divisor.
Algorithm gcd(a, n)
begin
go := n;
gl := a;
i :=1;
while g i -~ 0 do
begin
gi+~ := gi-1 m o d gi;
i :=i+ 1
end;
gcd := g i - i
end
T h e o r e m 1.6:
Let g = gcd(a, n). If g lb (i.e., b mod g = 0) the equation
a x mod n = b
has a unique solution xo in the range [1, ( n / g ) - 1]. This implies that
xl = (b/g)Xo mod ( n / g ) is a solution of
( ~ ) x mod ( ~ ) = (_bg)
x= x~ + t(n-) , t= O, . . . , g - 1 . .
\g/
Example:
Consider the equation
6 x m o d 10 = 4.
Because g = gcd(6, 10) = 2, and 2 divides 4, there are 2 solutions. We first
compute the solution x0 to the equation
( ~ ) x mod ( ~ ) = 1,
that is,
3xmod 5 = 1
46 INTRODUCTION
Xl= ( 4 ) 2 m o d (2)=4mod5=4.
t=0:x=4
t= l'x-[4+ (~Q)] mod 1 0 = 9 . .
Figure 1.23 gives an algorithm for printing the solutions described by Theo-
rem 1.6. Division is denoted by " / " rather than "div" where the numerator is
evenly divisible by the denominator.
An equation of the form " a x mod n = b" may also be solved using the prime
factorization of n. Let
n = dldz.., dt
di=p~i (1 ~ i _ < t)
and the Pi are distinct primes. Thus, the di are pairwise relatively prime.
Let f ( x ) be a polynomial in x. The following theorem shows that x is a
solution to the equation f ( x ) mod n = 0 if and only if x is a common solution to the
set of equations f ( x ) rood d i = 0 for i = 1. . . . . t.
Theorem 1.7:
Let dl . . . . . d t be pairwise relatively prime, and let n = dldz . . . d t. Then
Proof:
Because the d i are pairwise relatively prime, n t f ( x ) if and only if
for i = 1 , . . . , t. I
d ilf(x)
a x mod n = b.
a x m o d d i = b mod d i (1 _< i ~ t) .
(x mod di) = x i (i = 1 . . . . . t)
eroo~
Now, for each i = 1 . . . . , t, g c d ( d i, n / d i ) = 1. Therefore, there exist Yi
such that ( n / d i ) y i m o d d i = 1. F u r t h e r m o r e , ( n / d i ) y i m o d dj = 0 for j
-¢- i because dj is a factor of ( n / d i ) . Let
t
x = [ ~ YiXi] mod n .
i=1
x modd i = y i x i mod d i = x i . II
Example:
We shall show how the Chinese R e m a i n d e r T h e o r e m can be used to solve the
equation " 3 x mod 10 = 1". We observe that 10 = 2 • 5, so dl = 2 and d2 = 5.
We first find solutions x, and x2, respectively, to the equations:
48 INTRODUCTION
begin "return x e [0, n - 1] such that x mod di = x i(1 _ < i _ < t ) "
fori:= 1 totdo
Yi "= inv ( (n/di) m o d d i, di);
x:=O;
f o r i : = 1 to t d o
x := [x + (n/di) • Yi * xi] mod n;
crt := X
end
3x mod 2 = 1
3x mod 5 = 1 .
xmod2 = Xl= 1
xmod5 =xz= 2.
(~Q)ylmod2= 1, and
(~Q)y2 m o d 5 = 1,
integers mod p, together with the arithmetic operations, is a finite field t, called
the Galois field GF(p) after their discoverer Evariste Galois. Because division is
possible, arithmetic mod p is more powerful than ordinary integer arithmetic. Real
arithmetic is not generally applicable to cryptography because information is lost
through round-off errors (the same holds for integer division, where information is
lost through truncation). Many of the ciphers developed in recent years are based
on arithmetic in GF(p), where p is a large prime.
Another type of Galois field with applications in cryptography is based on
arithmetic mod q over polynomials of degree n. These fields, denoted GF(qn), have
elements that are polynomials of degree n - 1 (or lower) of the form
where the coefficients a; are integers mod q. Each element a is a residue mod p ( x ) ,
where p ( x ) is an irreducible polynomial of degree n (i.e., p cannot be factored into
polynomials of degree less than n).
Arithmetic on the coefficients of the polynomials is done mod q. For exam-
ple, the coefficients c i in the sum c = a + b are given by c i = (a i + b i) mod q (0 _< i
< n). Because a and b are of degree n - 1, the sum a + b is a polynomial of
degree at most n - 1, whence it is already reduced mod p ( x ) . The product a * b
could be of degree greater than n - 1 (but at most 2n - 2), however, so it must be
reduced mod p(x); this is done by dividing by p ( x ) and taking the remainder.
Of particular interest in computer applications are the fields GF (2"). Here
the coefficients of the polynomials are the binary digits 0 and 1. Thus, an element
a can be represented as a bit vector (a,_l, . . . , al, a0) of length n, and each of the
possible 2 n bit vectors of length n corresponds to a different element in GF(2~). For
example, the bit vector 11001~: corresponds to the polynomial (x 4 + x 3 + 1) in
GF(25). To avoid confusion with the notation GF(p), where p is a prime number,
we shall not write GF(32) for GF(25), for example, even though 32 is not prime.
Computing in GF(2") is more efficient in both space and time than comput-
ing in GF(p). Let p be a prime number such that 2 n-1 < p < 2 n, whence the
elements of GF(p) are also represented as bit vectors of length n (using the stan-
dard binary representation of the positive integers; e.g., 11001 corresponds to the
integer 24 + 2 ~ + 1 = 25). We first observe that whereas all 2 n bit vectors corre-
spond to elements of GF(2"), this is not true for GF(p); in particular, the bit
vectors representing the integers in the range [p, 2" - 1] are not elements of
GF(p). Thus it is possible to represent more elements (up to twice as many!) in
GF(2 .) than in GF(p) using the same amount of space. This can be important in
cryptography applications, where the strength of a scheme usually depends on the
size of the field. For comparable levels of security, GF(2 ~) is more efficient in
terms of space than GF(p).
We next observe that arithmetic is more efficient in GF(2 n) than in GF(p).
t A field is any integral domain in which every element besides 0 has a multiplicative inverse;
the rational numbers form an infinite field.
:~To simplify our notation, we shall write bit vectors as strings here and elsewhere in the book.
50 INTRODUCTION
To see why, we shall briefly describe how the arithmetic operations are implement-
ed in GF(2n). We assume the reader has a basic understanding of integer arithme-
tic in digital computers.
We first consider operations over the binary coefficients of the polynomials.
Recall that these operations are performed mod 2. Let u and v be binary digits.
Then u and v can be added simply by taking the "exclusive-or" u ~ v; that is,
ci = a i ~ b i f o r i = 0 , . . . , n - 1.
The operator ~ is extended pairwise to bit strings, so we can also write c = a ~ b
to denote the sum (or difference) of a and b.
Example:
Let a = 10101 and b = 01100. In GF(25), c = a + b is computed as follows:
a=10101
b=01100
c=l 1001.
By contrast, if we add the bit vectors a and b in GF(p) for p = 31, we must
perform carries during the addition, and then divide to reduce the result mod
31"
n-1
d= ~ (a i * b)x i mod p ( x ) ,
i=0
where
b = bn_l xn-1 q- ... Jr" bo if ai = 1
ai • b = 0 otherwise.
Example:
Let a - 101. If a is squared in GF(23) with irreducible polynomial p ( x ) -- x 3
+ x + 1 (1011 in binary), the product d = a • a is computed as follows:
S t e p 1. Multiply a • a:
101
101
101
000
101
10001
S t e p 2. Divide by p ( x ) - 1011"
10
1011)10001
1011
lll=d.
Example:
Let a = 111 and b = 100. The product d = a • b is computed in GF(23) with
irreducible polynomial p ( x ) = 1011 (x 3 + x + 1) as follows:
Step 1. Multiply a * b:
111
100
000
000
111
11100
Sty 2. D i v i d e b y p ( x ) = 1011"
11
1011)11100
1011
1010
1011
l=d.
52 INTRODUCTION
Thus, 111 , 100 mod 1011 = 001, so 111 and 100 are inverses mod 1011 in
GF(28). m
Example:
Let a = 100 (x 2) and p ( x ) = 1011 in GF(2~).
The reader should verify that
a -1 = inv(100, 1011)
= 1 1 1 . II
where:
c i = ao * b i • al * bi_l • ... • a i * bo, i = O, . . . , n - 1
an_l • . . al ao
aobn_l • . • aobl aobo
a l b n _ l a l b n _ 2 . . . albo
azbn-1 a z b n - z a2bn-3 . . .
• . ° °
° ° ° . °
a n _ l b n _ l • . . a n _ l b z a n - l b l an_lbo
Sn_l • . . S2 S1 Cn_l • . . Cl C0 •
Reducing by p ( x ) , we see that if bit sn_l = 1, bit Cn_ 1 and Cn_ 2 are complemented; if
bit s,_2 = 1, bits Cn_2 and Cn_ 8 are complemented; and so forth, giving the reduced
product
d = (dn_l,... , do)
where:
d n _ 1 - - O n _ 1 ~ Sn_a
do ~ CO ~ S1.
EXERCISES
[Hint." p(X) = ~ p(X, Y), p(Y) = ~ p(X, Y), and p ( X ) p ( Y ) _< p(X, Y),
Y X
equality holding only when X and Y are independent.]
1.7 Show that H(X, Y) = Hy (X) -b H(Y). Combine this with the result in the
previous problem to show that H r (X) _< H(X); thus, the uncertainty about
X cannot increase with the additional information Y. [Hint." p(X, Y) =
py(X)p(Y).]
1.8 Let M be a secret message revealing the recipient of a scholarship. Suppose
there was one female applicant, Anne, and three male applicants, Bob, Doug,
and John. It was initially thought each applicant had the same chance
of receiving the scholarship; thus p(Anne) = p(Bob) = p(Doug) = p(John)
= 1/4. It was later learned that the chances of the scholarship going to a
female were 1/2. Letting S denote a message revealing the sex of the recipi-
ent, compute Hs(M ).
1.9 Let M be a 6-digit number in the range [0, 10 ~ - 1] enciphered with a
Caesar-type shifted substitution cipher with key K, 0 ~ K ~ 9. For exam-
ple, if K = l, M = 123456 is enciphered as 234567. Compute H ( M ) , H(C),
H(K), Hc(M), and Hc(K), assuming all values of M and K are equally
likely.
1.10 Consider the following ciphertexts:
XXXXX
EXERCISES 55
VWXYZ
RKTIC
JZQAT
Which of the these ciphertexts could result from enciphering five-letter
words of English using:
1.11 Suppose plaintext messages are 100 letters long and that keys are specified
by sequences of letters. Explain why perfect secrecy can be achieved with
keys fewer than 100 letters long. How long must the keys be for perfect
secrecy?
1.12 Compare the redundancy of programs written in different languages (e.g.,
PASCAL, APL, and COBOL). Suggest ways in which the redundancy can
be reduced (and later recovered) from a program.
1.13 Show that the cancellation law does not hold over the integers mod n with
multiplication when n is not prime by showing there exist integers x and y
such that x • y mod n = 0, but neither x nor y is 0.
1.14 Let n be an integer represented in base 10 as a sequence of t decimal digits
dl d 2 . . . dr. Prove that
nmod9= di mod9.
i 1
1.15 For each equation of the form (ax mod n = b) that follows, solve for x in the
range [0, n - 1].
a. 5 x m o d 17 = 1
b. 19xmod26 = 1
c. 17x mod 100 = 1
d. 1 7 x m o d 1 0 0 = 10
1.16 Find all solutions to the equation
15x mod 25 = 10
in the range [0, 24] .
1.17 Apply algorithm crt in Figure 1.24 to find an x e [0, 59] such that
x mod 4 = 3
x rood 3 = 2
x mod 5 = 4 .
1.18 Find a solution to the equation
13xmod70 = 1
13Xl mod 2 = 1
13xzmod5 = 1
13x3mod7 = 1
and then applying algorithm crt.
1.19 Let a = 100 (x 2) in GF(28) with modulus p ( x ) = 1011 (x 3 + x + 1). Divide
1000000000000 by 1011 to show that
a-1 = 1006mod 1011 = 111.
Using algorithm inv, show that
a -~ = inv(lO0, 1011) = 111.
1.20 Find the inverse of a = 011 (x + 1) in GF(28) with p ( x ) = 1011.
REFERENCES
Aho74. Aho, A., Hopcroft, J., and Ullman, J., The Design and Analysis of Computer
Algorithms, Addison-Wesley, Reading, Mass. (1974).
Baye76. Bayer, R. and Metzger, J. K., "On the Encipherment of Search Trees and Random
Access Files," ACM Trans. On Database Syst. Vol. 1(1) pp. 37-52 (Mar. 1976).
Berk79. Berkovits, S., Kowalchuk, J., and Schanning, B., "Implementing Public Key
Schemes," IEEE Comm. Soc. Mag. Vol. 17(3) pp. 2-3 (May 1979).
Ber168. Berlekamp, E. R., Algebraic Coding Theory, McGraw-Hill, New York (1968).
Blak80. Blakley, G. R., "One-Time Pads are Key Safeguarding Schemes, Not Cryptosys-
tems," Proc. 1980 Symp. on Security and Privacy, IEEE Computer Society, pp. 108-
113 (Apr. 1980).
Bras79a. Brassard, G., "Relativized Cryptography," Proc. IEEE 20th Annual Symp. on
Found. of Comp. Sci., pp. 383-391 (Oct. 1979).
Bras79b. Brassard, G., "A Note on the Complexity of Cryptography," IEEE Trans. on
Inform. Theory Vol. IT-25(2) pp. 232-233 (Mar. 1979).
Bras80. Brassard, G., "A Time-Luck Tradeoff in Cryptography," Proc. IEEE 21st Annual
Syrup. on Found. of Comp. Sci., pp. 380-386 (Oct. 1980).
Cook71. Cook, S. A., "The Complexity of Theorem-Proving Procedures," Proc. 3rd Annual
ACM Symp. on the Theory of Computing, pp. 151-158 (1971).
Cove78. Cover, T. M. and King, R. C., "A Convergent Gambling Estimate of the Entropy
of English," IEEE Trans. onlnfor. Theory Vol. IT-24 pp. 413-421 (Aug. 1978).
Davi72. Davida, G. I., "Inverse of Elements of a Galois Field," Electronics Letters Vol.
8(21) (Oct. 19, 1972).
Deav77. Deavours, C. A., "Unicity Points in Cryptanalysis," Cryptologia Vol. 1(1) pp. 46-
68 (Jan. 1977).
Diff76. Diffie, W. and Hellman, M., "New Directions in Cryptography," IEEE Trans. on
lnfo. Theory Vol. IT-22(6) pp. 644-654 (Nov. 1976).
Gare79. Garey, M. R. and Johnson, D. S., Computers and Intractability, A Guide to the
Theory ofNP-Completeness, W. H. Freeman and Co., San Francisco, Calif. (1979).
Hamm80. Hamming, R. W., Coding and Information Theory, Prentice-Hall, Englewood
Cliffs, N.J. (1980).
REFERENCES 57
Hell77. Hellman, M. E., "An Extension of the Shannon Theory Approach to Cryptogra-
phy," IEEE Trans. on Info. Theory Vol. IT-23 pp. 289-294 (May 1977).
Huff52. Huffman, D., "A Method for the Construction of Minimum-Redundancy Codes,"
Proc. IRE Vol. 40 pp. 1098-1101 (1952).
Knut69. Knuth, D., The Art of Computer Programming; Vol. 2, Seminumerical Algo-
rithms, Addison-Wesley, Reading, Mass. (1969). (Exercise 4.5.2.15.)
Konh81. Konheim, A. G., Cryptography: A Primer, John Wiley & Sons, New York (1981).
Lemp79. Lempel, A., "Cryptology in Transition," Computing Surveys Vol. 11 (4) pp. 285-
303 (Dec. 1979).
LeVe77. LeVeque, W. J., Fundamentals of Number Theory, Addison-Wesley, Reading,
Mass. (1977).
MacW78. MacWilliams, E J. and Sloane, N. J. A., The Theory of Error Correcting
Codes, North-Holland, New York (1978).
McEI77. McEliece, R., The Theory of Information and Coding, Addison-Wesley, Reading,
Mass. (1977).
McE178. McEliece, R., "A Public Key Cryptosystem Based on Algebraic Coding Theory,"
DSN Progress Rep. 42-44, Jet Propulsion Lab Calif. Inst. of Tech., Pasadena, Ca.
(Jan., Feb. 1978).
Merk80. Merkle, R. C., "Protocols for Public Key Cryptosystems," pp. 122-133 in Proc.
1980 Symp. on Security and Privacy, IEEE Computer Society (Apr. 1980).
Mins67. Minsky, M., Computation: Finite and lnfinite Machines, Prentice-Hall, Engle-
wood Cliffs, N.J. (1967).
Need78. Needham, R. M. and Schroeder, M., "Using Encryption for Authentication in
Large Networks of Computers," Comm. ACM Vol. 21(12) pp. 993-999 (Dec. 1978).
Nive72. Niven, I. and Zuckerman, H. A., An Introduction to the Theory of Nurnbers, John
Wiley & Sons, New York (1972).
Pete72. Peterson, W. W. and Weldon, E. J., Error Correcting Codes, MIT Press, Cam-
bridge, Mass. (1972).
Pope79. Popek, G. J. and Kline, C. S., "Encryption and Secure Computer Networks,"
Computing Surveys Vol. 11(4) pp. 331-356 (Dec. 1979).
Rabi78. Rabin, M., "Digitalized Signatures," pp. 155-166 in Foundations of Secure Com-
putation, ed. R. A. DeMillo et al., Academic Press, New York (1978).
Sham79. Shamir, A., "On the Cryptocomplexity of Knapsack Systems," Proc. 11 th Annual
ACM Symp. on the Theory of Computing, pp. 118-129 (May 1979).
Shan48. Shannon, C. E., "A Mathematical Theory of Communication," Bell Syst. Tech. J.
Vol. 27 pp. 379-423 (July), 623-656 (Oct.) (1948).
Shan49. Shannon, C. E., "Communication Theory of Secrecy Systems," Bell Syst. Tech. J.
Vol. 28 pp. 656-715 (Oct. 1949).
Shan51. Shannon, C. E., "Predilection and Entropy of Printed English," Bell Syst. Tech. J.,
Vol. 30 pp. 50-64 (Jan. 1951).
Simm79. Simmons, G. J., "Symmetric and Asymmetric Encryption," Computing Surveys
Vol. 11(4) pp. 305-330 (Dec. 1979).
Simm81. Simmons, G. J., "Half a Loaf is Better Than None: Some Novel Message Integri-
ty Problems," Proc. 1981 Syrup. on Security and Privacy, IEEE Computer Society
pp. 65-69, (April 1981).
Smid79. Smid, M., "A Key Notarization System for Computer Networks," NBS Special
Pub. 500-54, National Bureau of Standards Washington, D.C. (Oct. 1979).
Turi36. Turing, A., "On Computable Numbers, with an Application to the Entscheidungs-
problem," Proc. London Math. Soc. Ser. 2 Vol. 42, pp. 230-265 and Vol. 43, pp.
544-546 ( 1936).
58 INTRODUCTION
Turn73. Turn, R., "Privacy Transformations for Databank Systems," pp. 589-600 in Proc.
NCC, Vol. 42, AFIPS Press, Montvale, N.J. (1973).
Vino55. Vinogradov, I. M., An Introduction to the Theory of Numbers, Pergamon Press,
Elmsford, N.Y. (1955).
Zier68. Zierler, N. and Brillhard, J., "On Primitive Trinomials (Mod 2)," lnfo. and Con-
trol Vol. 13 pp. 541-554 (1968).
Zier69. Zierler, N. and Brillhard, J., "On Primitive Trinomials (Mod 2)," Info. and Con-
trol Vol. 14 pp. 566-569 (1969).
2
Encryption Algorithms
First, the plaintext was written into the figure according to some "write-in" path.
Second, the ciphertext was taken off the figure according to some "take-off'' path.
The key consisted of the figure together with the write-in and take-off paths.
The geometrical figure was often a 2-dimensional array (matrix). In colum-
nar transposition the plaintext was written into a matrix by rows. The ciphertext
was obtained by taking off the columns in some order.
Example:
Suppose that the plaintext R E N A I S S A N C E is written into a 3 × 4 matrix
by rows as follows:
1 234
R ENA
I S S A
NC E
If the columns are taken off in the order 2 - 4 - 1 - 3 , the resulting ciphertext is
E S C A A R I N N S E . II
59
60 ENCRYPTION ALGORITHMS
is enciphered as
Example:
Suppose that d = 4 and f gives the permutation:
i:1234
f ( i ) : 2 4 1 3;
thus, the first plaintext character is moved to the third position in the cipher-
text, the second plaintext character to the first position, and so forth. The
plaintext RENAISSANCE is enciphered as:
M = RENA ISSA NCE
EK(M) = EARN SAIS C N E .
The preceding ciphertext is broken into groups of four letters only for clarity;
the actual ciphertext would be transmitted as a continuous stream of charac-
ters to hide the period. The short block at the end is enciphered by moving
the characters to their relative positions in the permutation. II
A B C D E F G H I J K L MN 0 P Q R S T U VW X Y Z
A
• • • ~ • • • ~ • ~ • • • • • • •
B
+ • • • + • • ~ + • • • • • + • • ~ • ~ ~ • •
C
• • • + • • • + • • • • • ~ • • • ~ ~ ~ • • • •
D
+ ~ + + ~ ~ ~ • ~ • • + + ~ ~ + • -X- ..X- + • ~ • •
E
• • • ~ ~ • • ~ • • • • 4 + • • • • ~ • • • •
F
• • • ~ • • • ~ • • • • • • • ~ • ~ • • • •
G
.+. • • • ~ • • • ~ • • • • ~ • • • • • • • • •
H
• + ~ + ~ ~ • • •
•.~ + • • ~ + + ~ • • •
I
• • • • • • •
J
• • • • • • • • • • • •
• • • ~ • • • •
K
L
M
• + + + ~ + • ~ • • • • • + • • • + ..X- • • • •
N
. . . . • + ~ • • • • ~ + ~ • + + • • •
O
• • ~ • • ~ • • • ~ • • ~ ~ + • ~ ~ • •
P
Q
R -4.- • ~ ~ * • • • + • • • ~ • + • • • + + • • • ~ •
+ ~ + • + ~ • ~ + • • • ~ • + ~ • • ~ ~ ~ • ~
S
+ • • • * • • .~- -~ • • • • • + • • ~ + ~ ~ • ~
T
• • •
U
• + ~ • • • • •
V
• • • ~ • • • • • • ~ • • • • • • •
W
• • • • • • • • • • ~ • • • • •
X
• • • • • • • ~ • • • • • ~ ~ • • • • • • •
Y
Z
N- H ( K ) _ log2dI
D D "
62 ENCRYPTION ALGORITHMS
N~
3.2
Example:
If the period is d = 27, then die ~ 10 and log2 (d/e) ~ 3.2, so N ~ 27. m
There are four types of substitution ciphers: simple substitution, homophonic sub-
stitution, polyalphabetic substitution, and polygram substitution. Simple substitu-
tion ciphers replace each character of plaintext with a corresponding character of
ciphertext; a single one-to-one mapping from plaintext to ciphertext characters is
used to encipher an entire message. Homophonic substitution ciphers are similar,
except the mapping is one-to-many, and each plaintext character is enciphered
with a variety of ciphertext characters. Polyalphabetic substitution ciphers use
multiple mappings from plaintext to ciphertext characters; the mappings are usu-
ally one-to-one as in simple substitution. Polygram substitution ciphers are the
most general, permitting arbitrary substitutions for groups of characters.
A simple substitution cipher replaces each character of an ordered plaintext
alphabet, denoted A, with the corresponding character of an ordered cipher alpha-
bet, denoted C (typically C is a simple rearrangement of the lexicographic order of
the characters in A). Let A be an n-character alphabet {a0, a l , . . . , an_a}. Then C is
an n-character alphabet ~(a0), f ( a l ) . . . . . f(an_a)}, where ./2A---~ C is a one-to-one
mapping of each character of A to the corresponding character of C. The key to
the cipher is given by C or, equivalently, by the function f.
To encipher, a plaintext message M = m l m 2 . . , is written as the ciphertext
message:
EK(M) = f(ma)f(mz) . . . .
Example:
Suppose that f maps the standard English alphabet A = {A, B . . . . , Z} into
the cipher alphabet C shown next:
A: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C: H A R P S I C O D B E F G J K L M N Q T U V W X Y Z .
Then the plaintext R E N A I S S A N C E is enciphered as:
SIMPLE SUBSTITUTION CIPHERS 63
M = RENA I SSANCE
EK(M ) = N S J H D Q Q H J R S . m
The preceding example uses a keyword mixed alphabet" the cipher alphabet is
constructed by first listing the letters of a keyword (in this case H A R P S I -
C H O R D ) , omitting duplicates, and then listing the remaining letters of the alpha-
bet in order.
Ciphers based on shifted alphabets (sometimes called "direct standard alpha-
bets" [Sink66]) shift the letters of the alphabet to the right by k positions, modulo
the size of the alphabet. Formally,
f(a) = (a + k) mod n ,
where n is the size of the alphabet A, and "a" denotes both a letter of A and its
position in A. For the standard English alphabet, n = 26 and the positions of the
letters are as follows:
0- A 7- H 13-N 20- U
1-B 8- I 14-O 21-V
2-C 9- J 15- P 22-W
3- D 10- K 16- Q 23- x
4-E 11- L 17-R 24-Y
5-F 12-M 18- S 25- Z
6- G 19- T
We noted in Chapter 1 that this type of cipher is called a Caesar cipher, because
Julius Caesar used it with k = 3. Under the Caesar cipher, our plaintext RE-
N A I S S A N C E is enciphered as
M =RENAI S SANCE
EK(M ) = U H Q D L V V D Q F H .
f(a) = ak mod n ,
where k and n are relatively prime so that the letters of the alphabet produce a
complete set of residues (see Section 1.6.2).
Example:
If k = 9 and A is the standard English alphabet, we have
A= ABC DEF G H I J K L M N O PQR STU VWX YZ
C= AJS BKT CLU D M V E N W FOX GPY H Q Z I R ,
whence
M = RENAI S SANCE
EK(M) = X K N A u G G A N S K . m
64 ENCRYPTION ALGORITHMS
m • C • K: L: M.* T U V
D• F • N: O °. P .° W X Y
G• I-J • Q °• R "• S °• Z
If k and n are not relatively prime, several plaintext letters will encipher to the
same ciphertext letter, and not all letters will appear in the ciphertext alphabet.
For example, if n = 26 and k = 13,
f(A) = f(C) = f(E) = . . . -- f ( Y ) -- A (0)
f(B) = f(D) -- f ( F ) . . . . = f(Z) = N (13).
Addition (shifting) and multiplication can be combined to give an afline
transformation (linear plus a constant):
f(a) = (akl + ko) mod n ,
where k~ and n are relatively prime.
Higher-order transformations are obtained with polynomial transformations
of degree t:
N ~ H(K) _ logz n!
D D
For English, N ~ log2 26!/3.2 ~_ 88.4/3.2 ~_ 27.6. Thus, approximately 27 or 28
letters are needed to break these ciphers by frequency analysis. This explains the
difficulty in solving the Churchyard ciphers, which contained only 15 characters.
In practice, ciphers with at least 25 characters representing a "sensible" message
in English can be readily solved [Frie67].
Ciphers based on polynomial transformations have smaller unicity distances
and are easier to solve. For shifted alphabets, the number of possible keys is only
26; the unicity distance, derived in Section 1.4.3; is:
A 8.0 7.5
B 1.5 1.4
C 3.0 4.1
D 4.0 3.2
E 13.0 12.7
F 2.0 2.3
G 1.5 1.9
H 6.0 3.8
I 6.5 7.7
J 0.5 0.2
K 0.5 0.4
L 3.5 3.8
M 3.0 3.0
N 7.0 7.0
O 8.0 7.5
P 2.0 3.0
Q 0.2 0.2
R 6.5 6.7
S 6.0 7.3
T 9.0 9.2
U 3.0 2.8
V 1.0 1.0
W 1.5 1.4
X 0.5 0.3
Y 2.0 1.6
Z 0.2 0.1
( m t k l + ko) mod n = c t .
Example.
Consider the following plaintext-ciphertext letter correspondences (the num-
bers in parentheses are the numerical equivalents)"
high: ETA O N I R S H
medium" DLU C M
low: P FYW G BV
rare: J KQ X Z
HOMOPHONIC SUBSTITUTION CIPHERS 67
Plaintext Ciphertext
E (4) K (10)
J (9) T (19)
Y (13) U (20)
This gives the three equations:
( 4 k , + k 0 ) mod26 = 10 (1)
(9k, + k0) mod 26 = 19 (2)
(13kl+k0) mod26=20 (3)
Subtracting Eq. (1) from Eq. (2), we get
5kl mod 26 = 9 .
We can solve for kl using Eq. (1.6) (see Section 1.6.2), getting
kx = [9 • inv(5, 26)] mod 26
=(9.21)rood26
=7.
Substituting in Eq. (1) gives
(28 +k0) mod26 = 10,
whence
k0 = - 1 8 m o d 2 6 = 8.
Note that we did not need Eq. (3) to solve for k~ and k0. We must, however,
check that the solution satisfies Eq. (3). If it does not, then at least one of the
three plaintext-ciphertext correspondences is incorrect (or else the cipher is
not an affine transformation). In this case, the key does satisfy Eq. (3). II
In general, we may need more than two equations to solve for k0 and kl. This
is because equations of the form " a k mod 26 = c" have multiple solutions when a
divides 26 (see Section 1.6.2).
Peleg and Rosenfeld [Pele79] describe a relaxation algorithm for solving
general substitution ciphers. For each plaintext letter a and ciphertext letter b, an
initial probability Pr[f(a) = b] is computed based on single-letter frequencies,
where Pr[f(a) = b] is the probability that plaintext letter a is enciphered as b.
These probabilities are then iteratively updated using trigram frequencies until the
algorithm converges to a solution (set of high probability pairings).
0
E~
CO
!
t,_
t_
0
o m
~ ~ * .
. m
tm
~ O 0 0 0 0 0 ~ ~ O 0 0 0 0 ~ O 0 0 0 0 Q O O ~ O ~ O O ~ Q O O Q O O O Q O O O O O O Q O
U.J
D~
68
U
~ ~ ~ •
Z ,--,
69
70 ENCRYPTION ALGORITHMS
Example:
Suppose that the English letters are enciphered as integers between 0 and 99,
where the number of integers assigned to a letter is proportional to the
relative frequency of the letter, and no integer is assigned to more than one
letter. The following illustrates a possible assignment of integers to the let-
ters in the message PLAIN PILOT (for brevity, integer assignments for the
remaining letters of the alphabet are not given):
Letter Homophones
A 17 19 34 41 56 60 67 83
I 08 22 53 65 88 90
L 03 44 76
N 02 09 15 27 32 40 59
O 01 11 23 28 42 54 70 80
P 33 91
T 05 10 20 29 45 58 64 78 99
One possible encipherment of the message is"
M=P L A I NP I L O T
C=91 44 56 65 59 33 08 76 28 78 . m
Kahn [Kahn67] notes the first known Western use of a homophonic cipher
appears in correspondence between the Duchy of Mantua and Simeone de Crema
in 1401. Multiple substitutions were assigned only to vowels; consonants were
assigned single substitutions.
Homophonic ciphers can be much more difficult to solve than simple substi-
tution ciphers, especially when the number of homophones assigned to a letter is
proportional to the relative frequency of the letter. This is because the relative
distribution of the ciphertext symbols will be nearly fiat, confounding frequency
analysis. A homophonic cipher may still be breakable, however, if other statistical
properties of the plaintext (e.g., digram distributions) are apparent in the cipher-
text (e.g., see [Prat42,Stah73]).
Clearly, the more ciphertext symbols available to distribute among the plain-
text letters, the easier it is to construct a strong cipher. In the limiting case where
each letter of plaintext enciphers into a unique cipherfext symbol, the cipher can
be unbreakable.
For over a century amateur cryptanalysts have been trying to solve a cipher pur-
ported to point to a treasure buried in Virginia around 1820 by a party of adven-
turers led by Thomas Jefferson Beale. The cipher is the first of three ciphers left
by Beale. The second cipher, solved by James Ward [Ward85] in the 1880s,
describes the alleged treasure and states that the first cipher contains directions
for finding it. The treasure consists of gold, silver, and jewels worth millions of
HOMOPHONIC SUBSTITUTION CIPHERS 71
dollars today. The third cipher is supposed to list the next of kin of the
adventurers.
The second cipher (B2) is an interesting example of a homophonic substitu-
tion cipher. The key is the Declaration of Independence (DOI). The words of the
DOI are numbered consecutively as shown in Figure 2.6.
Beale enciphered each letter in the plaintext message by substituting the
number of some word which started with that letter. The letter W, for example,
was enciphered with the numbers 1, 19, 40, 66, 72, 290, and 459. The cipher
begins
ABFDEFGHIIJKLMMNOHPP
in the middle of the plaintext. Gillogly observed that the first F is encrypted as 195
and that word 194 begins with a C; similarly, the last H is encrypted as 301 and
word 302 begins with an O. Hammer [Hamm79] found 23 encrypting errors in
B1, so it is possible the F (for C) and H (for O) were "typos", and the original
plaintext sequence was A B C D E F G H I I J K L M M N O O P P . Perhaps the sequence is
a clue that the DOI is the key--not to abundant riches--but to a gigantic practical
joke.
Meanwhile, members of the Beale Cipher Association pool their findings,
hoping to either locate the treasure or simply solve the riddle. More information
about these fascinating ciphers may also be found in [Bea178,Hamm71].
72 ENCRYPTION ALGORITHMS
Given enough ciphertext C, most ciphers are theoretically breakable (in the Shan-
non sense---doing so may be computationally infeasible). This is because there will
be a single key K that deciphers C into meaningful plaintext; all other keys will
produce meaningless sequences of letters. Hammer [Harem81] shows it is possible
to construct higher-order homophonic ciphers such that any intercepted ciphertext
will decipher into more than one meaningful message under different keys. For
example, a ciphertext could decipher into the following two messages under differ-
ent keys:
THE TREASURE IS BURIED IN GOOSE CREEK
THE BEALE CIPHERS ARE A GIGANTIC HOAX.
To construct a second-order homophonic cipher (one in which each cipher-
text has two possible plaintext messages), the numbers 1 through n2 are randomly
inserted into an n × n matrix K whose rows and columns correspond to the charac-
ters of the plaintext alphabet _,4. For each plaintext character a, row a of K defines
one set of homophones f~(a) and column a defines another set of homophones
f2(a). The set of rows thus corresponds to one key (mapping)f~ and the set of
columns to a second key f2. A plaintext message M = m ~ m 2 . . . is enciphered along
with a dummy message X = x ~ x 2 . . , to get ciphertext C = c~c2 . . . . where
ci=K[m i,xi] i= 1,2 .....
Each ciphertext element q. is thus selected from the intersection of the sets fa(m/.)
and f 2 ( x i ) and, therefore, deciphers to either m i (under key fl) or x i (under f2). A
cryptanalyst cannot deduce the correct message from the ciphertext C because
both M and X are equally likely. The intended recipient of the message can,
however, decipher C knowing K.
Example:
Let n = 5. The following illustrates a 5 × 5 matrix for the plaintcxt alphabet
{E, I, L, M, S}:
E I L MS
E [ 10 22 18 02 11
I [ 12 01 25 05 20
L [ 19 06 23 13 07
M 103 16 08 24 15
S [ 17 09 21 14 04
The message S M I L E is enciphered with the dummy message L I M E S as
follows:
M= S M I L E
X = L I ME S
C = 21 16 05 19 11 . 1
POLYALPHABETIC SUBSTITUTIONCIPHERS 73
2.4 P O L Y A L P H A B E T I C S U B S T I T U T I O N CIPHERS
where k i (i = 1, . . . , d) gives the amount of shift in the ith alphabet; that is,
f i ( a ) = (a + ki) mod n .
Example:
The encipherment of the word RENAISSANCE under the key BAND is
shown next:
M = R E N A I S S A NCE
K = BAND BAND BAN
E K ( M ) = S E A D J S F D OCR .
In this example, the first letter of each four-letter group is shifted (mod 26)
by 1, the second by 0, the third by 13, and the fourth by 3. II
:fi
¢1I
i,,.
~ ~ ~ ~ - ~ ~ Z O ~ ~ ~ > ~ ~ <
>
1,1.1
,_!
1:13
?5
76 ENCRYPTION ALGORITHMS
The Vigen~re Tableau facilitated encryption and decryption (see Table 2.1).
For plaintext letter a and key letter k, the ciphertext c is the letter in column a of
row k. For ciphertext c, the plaintext a is the column containing c in row k.
The Beaufort cipher is similar, using the substitution
f . ( a ) = ( k i - a) mod n.
Note that the same function can be used to decipher; that is, for ciphertext letter c,
f = l ( c ) = ( k i - c) mod n.
The Beaufort cipher reverses the letters in the alphabet, and then shifts them to
the right by ( k i + 1) positions. This can be seen by rewriting f as follows"
f.(a) = [(n- 1) - a + ( k i @ 1)] mod n.
Example:
If k i = D, the mapping from plaintext to ciphertext letters is given by f.(a)
= (D - a) rood 26 as shown next:
A: A B C D E FGHI J KLMNOPQRSTUVWXYZ
C- D C B A Z Y X W V U T S R Q P O N M L K J IHGFE. II
The Vigenb~re Tableau can be used to encipher and decipher. For plaintext
letter a, the ciphertext letter c is the row containing the key k in column a. For
ciphertext letter c, the plaintext letter a is the column containing k in row c. The
Beaufort cipher is named after the English admiral Sir Francis Beaufort, although
it was first proposed by the Italian Giovanni Sestri in 1710 [Kahn67].
The Variant Beaufort cipher uses the substitution
f . ( a ) = (a - ki) mod n .
Because
(a- ki) m o d n = ( a + (n - k i ) ) m o d n ,
the Variant Beaufort cipher is equivalent to a Vigen~re cipher with key character
(n- ki).
The Variant Beaufort cipher is also the inverse of the V'lgenere" cipher; thus if
one is used to encipher, the other is used to decipher.
The unicity distance for periodic substitution ciphers is easy to calculate
from the individual substitution ciphers. If there are s possible keys for each
simple substitution, then there are s a possible keys if d substitutions are used. The
unicity distance is thus
N _~ H ( K ) log2(sd) log2s
'~ ~ " ~ ~ ~ d ,
D D D
4.7
N ~ ~.2 d = 1.5d.
n-1
MR= Z (,,-[),,
i=O
where Pi is the probability that an arbitrarily chosen character in a random cipher-
text is the ith character a~ in the alphabet (i = O, . . . , n - 1), and
n-1
~pi=l.
i=0
For the English letters we have
25
MR = z (,,-i)
i=0
25 25
= ~ p~-~6 ~Ji+ 26(2~)2
i=0 i
25
= Z~p~- +G
i=0
25
= Z p -.038.
i=0
78 ENCRYPTION ALGORITHMS
Because the period and, therefore, the probabilities are unknown, it is not possible
to compute MR. But it is possible to estimate M R using the distribution of letter
frequencies in the ciphertext. Observe that
25
M R + .038 = Z p~
i=0
is the probability that two arbitrarily chosen letters from a random ciphertext are
the same. Now, the total number of pairs of letters that can be chosen from a given
ciphertext of length N is (N) = N ( N - 1)/2. Let F, be the frequency of the ith
letter of English (i = 0 , . . . , 25) in the ciphertext; thus, ~i~0 Fi = N. The number
of pairs containing just the ith letter is
F,.(Fi - 1)
2
The IC is defined to be the probability that two letters chosen at random from the
given ciphertext are alike:
25
Z ~.(F~ - 1)
i=0
IC=
N ( N - 1)
- 1)
N 1 (.066) + d - 1 (.038).
d IC
1 .066
2 .052
3 .047
4 .045
5 .044
10 .041
large .038
POLYALPHABETIC SUBSTITUTION CIPHERS 79
finally compares this with the expected values shown in Table 2.2. Because I C is
statistical in nature, it does not necessarily reveal the period exactly. Nevertheless,
it may provide a clue as to whether the cipher is monoalphabetic, polyalphabetic
with small period, or polyalphabetic with large period.
The Kasiski method, introduced in 1863 by the Prussian military officer Friedrich
W. Kasiski [Kasi63], analyzes repetitions in the ciphertext to determine the exact
period (see also [Kahn67,Gain56]). For example, suppose the plaintext TO BE
OR NOT TO BE is enciphered with a Vigen~re cipher using key H A M as shown
next:
M = TOBEORNOTTOBE
K = HAMHAMHAMHAMH
EK(M ) =AONLODUOFAONL
Notice that the ciphertext contains two occurrences of the cipher sequence
AONL, 9 characters apart.
Repetitions in the ciphertext occur when a plaintext pattern repeats at a
distance equal to a multiple of the key length. Repetitions more than two cipher
characters long are unlikely to occur by pure chance. If m ciphertext repetitions
are found at intervals/j (1 ~ j _< m), the period is likely to be some number that
divides most of the m intervals. The preceding example has an interval 11 = 9,
suggesting a period of 1, 3, or 9 (in fact it is 3).
The I C is useful for confirming a period d found by the Kasiski method or by
exhaustive search (whereas this would be tedious and time-consuming by hand, a
computer can systematically try d = 1, 2, 3, . . . until the period is found). Letting
c~c2 . . . denote the ciphertext, the I C is computed for each of the sequences:
d: C d C2d C3d • • •
If each sequence is enciphered with one key, each will have an I C close to .066.
Once the period is determined, each cipher alphabet is separately analyzed as for
simple substitution.
Example:
We shall now apply the index of coincidence and Kasiski method to analyze
the ciphertext shown in Figure 2.8. Figure 2.9 shows that the frequency
distribution of the letters in the ciphertext is flatter than normal, and that
the I C is .0434; this suggests a polyalphabetic substitution cipher with a
period of about 5.
D~ON~
<>!2 >~
OZ×~~
Z ~ Z ~ ~
~ ~ Z
~>NZ N~
X D~Z~ O~
O
.12
Om~mm~O
O
~ ~ ~ N
O
~@N~N~
E
00
04
U.i ~ ~ - ~ 0 ~
2D
O ~ N ~ ~ ~
I.I. N~m~>Z~
80
POLYALPHABETIC SUBSTITUTION CIPHERS 81
Char Percent
A 4.0 ********
B 0.9 **
C 6.1 ************
D 2.0 ****
E 4.9 **********
F 3.5 *******
G 4.0 ********
H 3.2 ******
I 3.5 *******
J 4.6 *********
K 5.2 **********
L 5.8 ************
M 3.2 ******
N 4.6 *********
O 4.0 ********
P 2.0 ****
Q 3.8 ********
R 8.7 *****************
S 4.3 *********
T 2.0 ****
U 3.5 *******
V 4.0 ********
W 1.7 ***
X 0.6 •
Y 6.1 ************
Z 3.8 ********
1" C 1 C 4 C7 . . .
2: c 2 c 5 c 8 . . .
3 : c 8 c6 c9 . . . .
Lo
o II
~o
0
o
f
a.
,~
II
~ ~ ~ O ~ ~ ~ E O ~ ~ ~ ~ ~ ~
II
o
o
!!
k
o
o~d~aidN~L6dd 4~g~4d4~L64dddtdd o
o
co
~ ~ ~ ~ ~ ~ ~ o ~ s ~ ~ ~ ~ ~
o.
co
co
o
tl. ii.
tl,
o tl, II
.2 t1~ tl,
tl.
o
tl • tl,
II. II.
tl.
tl.
tl.
tl.
tl.
$
.~
o F~
o
.,-i
o
II
o
o" o
0
dd~ 44~Nd~~dddai,4gdd~ 4%~ 4g
ai o 8
Q
82
POLYALPHABETIC SUBSTITUTION CIPHERS 83
The security of a substitution cipher generally increases with the key length. In a
running-key cipher, the key is as long as the plaintext message, foiling a Kasiski
attack (assuming the key does not repeat). One method uses the text in a book (or
any other document) as a key sequence in a substitution cipher based on shifted
alphabets (i.e., a nonperiodic Vigen~re cipher). The key is specified by the title of
the book and starting position (section, paragraph, etc.).
Example:
Given the starting key: "Cryptography and Data Security, Section 2.3.1,
paragraph 2," the plaintext message "THE TREASURE IS B U R I E D . . . "
is enciphered as
M = THETREASUREISBURIED...
K = THESECONDCI PHERISAN...
EK(M) = M O I L V G O F X T M X Z F L Z A E Q . . .
(the string "(B2)" in the text was omitted from the key sequence because
some of the characters are not letters), m
Because perfect secrecy is possible using key sequences as long as the mes-
sages they encipher, one might expect a running key cipher to be unbreakable.
This is not so. If the key has redundancy (as with English text), the cipher may be
breakable using Friedman's methods [Friel8] (see also [Kahn67,Diff79]). Fried-
man's approach is based on the observation that a large proportion of letters in the
ciphertext will correspond to encipherments where both the plaintext and key
letters fall in the high frequency category (see Figure 2.4).
Example:
In our earlier example, 12 of the 19 ciphertext letters came from such pairs,
as noted next:
M = THETREASUREISBURIED ...
K = THESECONDCIPHERISAN ....
t R. Smullyan, This Book Needs No Title, Prentice-Hall, Englewood Cliffs, N.J., 1980.
84 ENCRYPTION ALGORITHMS
Of the remaining 7 pairs, either the plaintext or key letter belongs to the
high frequency category in 6 of the pairs, and both belong to the medium
category in the remaining pair. II
Friedman recommends starting with the assumption that all ciphertext let-
ters correspond to high frequency pairs, thus reducing the number of initial possi-
bilities for each plaintext and key letter. The initial guesses are then related to
digram and trigram distributions (and possibly probable words) to determine the
actual pairings.
Example:
Consider the first three ciphertext letters MOI in the preceding example.
There are 26 possible plaintext-key letter pairings for each ciphertext letter
(assuming a shifted substitution). Examining the possible pairs for M, we see
there are only three pairs where both the plaintext and key character fall in
the high frequency category:
A plaintext letter (signal) enters the bank of rotors at one end, travels
through the rotors in succession, and emerges as ciphertext at the other end. A
machine with t rotors effectively implements a substitution cipher composed of F~,
. . . , F t. The ith plaintext letter m i of a message M = m ~ m 2 . . . is enciphered as
not as random as they might seem, and the machines are vulnerable to cryptanaly-
sis (see preceding references). Techniques for generating key streams that seem
less vulnerable are described in Chapter 3.
Ci • k i = m i • k i • ki
= m i .
Example:
If the plaintext character A (11000 in Baudot) is added to the key character
D (10010 in Baudot), the result is"
M = 1 1 000
K = 1 00 1 0
EK(M) = 0 1 0 10. I
Army cryptologist Major Joseph Mauborgne suggested the one-time use of each
key tape, and thus the most formidable cipher of all was born. The only drawback
of the cipher is that it requires a long key sequence; we shall return to this problem
in the next chapter.
If the key to a Vernam cipher is repeated, the cipher is equivalent to a
POLYGRAM SUBSTITUTIONCIPHERS 87
running-key cipher with a text as key. To see why, suppose two plaintext streams
M and M ' are enciphered with a key stream K, generating ciphertext streams C
and C', respectively. Then
ci = m i • k i,
! l
Ci = m i • k i,
for i = 1, 2 . . . . . Let C" be a stream formed by taking the ~ of C and C'; then
C i it = ci ~
Ci l
= m i ~ k i ~ mf ttt k i
!
= m i • m i ,
The Playfair cipher is a digram substitution cipher named after the English scien-
tist Lyon Playfair; the cipher was actually invented in 1854 by Playfair's friend,
Charles Wheatstone, and was used by the British during World War I [Kahn67].
The key is given by a 5 X 5 matrix of 25 letters (J was not used), such as the one
shown in Figure 2.11. Each pair of plaintext letters m l m z is enciphered according
to the following rules:
If ml and m2 are in the same row, then cl and c2 are the two characters to the
right of ml and m2, respectively, where the first column is considered to be to
the right of the last column.
D
If ml and m2 are in the same column, then cl and cz are the two characters
HARP S
I C O D B
E F G K L
M N Q T U
V W X Y Z
88 ENCRYPTION ALGORITHMS
below ml and m2, respectively, where the first row is considered to be below
the last row.
. If ml and m2 are in different rows and columns, then c, and c2 are the other
two corners of the rectangle having ml and m2 as corners, where Cl is in m,'s
row and cz is in m2's row.
. If m~ = m2, a null letter (e.g., X) is inserted into the plaintext between mi
and m2 to eliminate the double.
. If the plaintext has an odd number of characters, a null letter is appended to
the end of the plaintext.
Example:
To encipher the first two letters of R E N A I S S A N C E , observe that R and E
are two corners of the rectangle
HA R
I CO
E F G.
They are thus enciphered as the other two corners, H and G. The entire
plaintext is enciphered as:
M = RE N A IS SA NC EX
E K ( M ) = H G W C BH HR WF GV. II
Expressing M and C as the column vectors M = (ml, m2) and C = (Ca, c2), this can
be written as
C = EK(M) = K M mod n ,
kll klz~ II
kzx kzz] "
That is,
__
k~ k J
(ml)
m~
modn
POLYGRAM SUBSTITUTION CIPHERS 89
Example:
Let n be 26 and let K and K -~ be as follows"
K g -1 I
3 15 2~) mod 2 6 = (10 01)
__
16 '
getting the ciphertext C = (24, 16) or YQ. To decipher, we compute
where each S i is a function of the key K. The substitutions Si are broken into 4
smaller substitutions Sil . . . . , S~4, each operating on a 3-bit subblock to reduce the
complexity of the microelectronic circuits. Because the permutations Pi shuffle all
ml~
]
c1
rn4~ , c 4
m
12~ , ci2
PRODUCT CIPHERS 91
1
(iP) !
Lo Ro
(£]
L 1 =R 0 R 1 = L o ~ f ( R o , K 1)
k i A
f
..>,:
¢. J
L15 =R14 R15 =L14~f(R14, K15)
K16
IP-1)
output
92 ENCRYPTION ALGORITHMS
12-bits, each bit of plaintext can conceivably affect each bit of ciphertext. (See
[Feis70,Feis75,Kam78] for details on the design of substitution-permutation
ciphers.)
L i = tl . . . t32
Ri = t83.../64 •
Then
L i = Ri_ 1
R i = Li_ , tt1 f ( R i _ 1, Ki)
where " ~ " is the exclusive-or operation and K,. is a 48-bit key described later. Note
that after the last iteration, the left and right halves are not exchanged; instead the
TABLE 2.3(a) Initial permutation IP. TABLE 2.3(b) Final permutation IP -1.
58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32
60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31
62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30
64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29
57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28
59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27
61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26
63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25
94 ENCRYPTION ALGORITHMS
s h o w n in T a b l e 2.4. T h i s t a b l e is u s e d in t h e s a m e way as t h e p e r m u t a t i o n t a b l e s ,
e x c e p t t h a t s o m e bits of Rt_ 1 a r e s e l e c t e d m o r e t h a n once; t h u s , given R i _ a = r l r 2
• . . r~2, E ( R i _ i ) = r ~ 2 r l r 2 . . , r~2rl .
N e x t , t h e e x c l u s i v e - o r of E ( R i _ i ) a n d K i is c a l c u l a t e d a n d t h e r e s u l t b r o k e n
into e i g h t 6-bit blocks B 1 , . . . , Bs, w h e r e
E ( R i _ , ) ~ K i = B , B 2 . . . B8 •
Column
Row 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 l l 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 S,
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 $2
2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 $3
2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 $4
2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
0 2 12 4 1 7 10 l l 6 8 5 3 15 13 0 14 9
1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 $5
2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 l l
1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 $6
2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
0 4 l l 2 14 15 0 8 13 3 12 9 7 5 10 6 1
1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 $7
2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 $8
2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
PRODUCT CIPHERS 95
Each S-box Sj maps a 6-bit block Bj = b~b2b3b4bsb6 into a 4-bit block as defined in
1,
(PC_l)
,I,
Co Do
1, ,I,
(Ls,) (Ls,)
1 l
C1 D]
PC - 2 K1
C2 D2
1 ~K 2
I
! I
,I, ,,I,
QLs,6) (Ls,6)
,I, ,I,
C16 D16
Ki6
2
96 ENCRYPTION ALGORITHMS
Table 2.6. This is done as follows: The integer corresponding to blb~ selects a row
in the table, while the integer corresponding to b2b3b4b5 selects a column. The value
of Sj(Bj) is then the 4-bit representation of the integer in that row and column.
Example:
If B~ = 010011, then S 1 returns the value in row 1, column 9; this is 6, which
is represented as 0110. II
Key calculation. Each iteration i uses a different 48-bit key K i derived from the
initial key K. Figure 2.15 illustrates how this is done. K is input as a 64-bit block,
with 8 parity bits in positions 8, 16, . . . , 64. The permutation PC-1 (permuted
choice 1) discards the parity bits and transposes the remaining 56 bits as shown in
Table 2.7. The result PC- 1(K) is then split into two halves C and D of 28 bits each.
The blocks C and D are then successively shifted left to derive each key K;. Letting
C i and D i denote the values of C and D used to derive K i, we have
where LSi is a left circular shift by the number of positions shown in Table 2.8,
and Co and Do are the initial values of C and D. Key K~ is then given by
TABLE 2.7 Key permutation PC-1. TABLE 2.8 Key schedule of left shifts LS.
57 49 41 33 25 17 9 Iteration Number of
1 58 50 42 34 26 18 i Left Shifts
10 2 59 51 43 35 27 1 1
19 11 3 60 52 44 36 2 1
63 55 47 39 31 23 15 3 2
7 62 54 46 38 30 22 4 2
14 6 61 53 45 37 29 5 2
21 13 5 28 20 12 4 6 2
7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1
PRODUCT CIPHERS 97
14 ~ 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
16th iteration. This is because the final permutation IP -1 is the inverse of the
initial permutation IP, and
Ri_ i = L i
Li_ , = R i • f ( L i , Ki) •
Note that whereas the order of the keys is reversed, the algorithm itself is not.
Diffie and Hellman argue that with 56-bit keys, DES may be broken under a
known-plaintext attack by exhaustive search. In [Diff77] they show that a special-
purpose machine consisting of a million LSI chips could try all 256 ~ 7 X 10'6 keys
in 1 day. Each chip would check one key per tzsec or 8.64 X 10 TM keys per day.
Whereas it would take almost 10~ days for one chip to check all keys, 10~ chips can
check the entire key space in 1 day. The cost of such a machine would be about
$20 million. Amortized over 5 years, the cost per day would be about $10,000.
Because on the average only half the key space would have to be searched, the
average search time would be half a day, making the cost per solution only $5,000.
More recently, Diffie [Diff81] has increased this estimate to a 2-day average
search time on a $50M machine (using 1980 technology). But he and Hellman
[Hell79] both predict the cost of building a special-purpose DES search machine
will drop substantially by 1990.
Hellman [Hell80] has also shown that it is possible to speed up the searching
process by trading time for memory in a chosen'plaintext attack (see following
section). The cost per solution would be $10 on a $5M machine. Because the
98 ENCRYPTION ALGORITHMS
plaintext K1 K2 K1 ciphertext
!V
I
'It
I
,qr
_
(DES -I~ " ,/f DES) " (DES -1~ ~
decipher
attack can be thwarted with techniques such as cipher block chaining (see Chapter
3), the search strategy itself does not pose a real threat.
Hellman and others argue that the key size should be doubled (112 bits).
Tuchman [Tuch79] claims that the same level of security can be obtained with 56-
bit keys, using a multiple encryption scheme invented by Matyas and Meyer. Let
DES K denote the encipering transformation for key K, and DES-~ the correspond-
ing deciphering transformation. A plaintext message M is enciphered as
C = DESK, (DES~2(DESK, ( M ) ) ) ;
that is, it is successively enciphered, deciphered, and then enciphered again, using
one key (K1) for the encipherments and another (K2) for the decipherment (see
Figure 2.16). The message M is restored by reversing the process and applying the
inverse transformations:
Merkle and Hellman [Merk81] believe this approach may be less secure than
using a single 112-bit key (or even using 3 separate keys in a triple-encryption
scheme), showing that it can be theoretically broken under a chosen-plaintext
attack using about 256 operations and 25~ keys stored on 4 billion tapes.
Hellman and others have also questioned whether the S-boxes are secure
(the analysis behind their design is presently classified). They believe that the
design should be unclassified so that it may be publicly evaluated. (See [Suga79,
Hel179,Davi79,Bran79,Tuch79] for a debate on these issues.)
There are two naive approaches to breaking a cipher with n keys: exhaustive
search and table lookup. Exhaustive search uses a known-plaintext attack: Given
PRODUCT CIPHERS 99
ciphertext C, the known plaintext M is enciphered with each key K until EK(M )
= C. The time complexity is T = O(n) and the space complexity is S = O(1). We
saw earlier that if one key can be tested in I ~sec on a special-purpose chip, then n
= 256 ~_ 7 X 10 ~ keys can be checked in T = 10 ~ days, and 1 million chips can
search the entire key space in parallel in approximately 1 day.
Table lookup uses a chosen-plaintext attack: For chosen plaintext M0, the
ciphertexts Ci = EKi(Mo) are precomputed for i = 1, . . . , n. The keys K~. are
arranged in a table so that Ci gives the index of Ki. Thus, for a given ciphertext, the
corresponding key K can be found in time T = O(1), though the space complexity
is S = O(n). For 56-bit keys, the space requirements are S = 56(2 ~6) ~ 56 X 7
X 10 ~ ~ 4 X 10 TM bits. This would require about 4 billion magnetic tapes (at about
109 bits per tape), costing about $80 billion (at $20 per tape).
Hellman's time-memory tradeoff technique is a hybrid approach that trades
time for space in a chosen-plaintext attack [Hell80]. Like table lookup, it requires
the precomputation and storage of a table. For the time-memory tradeoff tech-
nique, however, the table size is only S = O(n2/~). Like exhaustive search, the
technique also requires searching. Here again, however, the search time is only T
= 0(n2/3).
Define
f ( K ) = R(EK(Mo))
for chosen plaintext M0, where R is a function that reduces a 64-bit block to a 56-
bit block (by discarding 8 bits). For a given ciphertext Co = EK(Mo), the objective
(of cryptanalysis) is to find the inverse K of f, that is,
K =f-~(R(Co)).
For the precomputation, rn starting points SPa, . . . , SP m are randomly cho-
sen from the key space. The following values are computed for some integer t and i
= 1,...,m:
x;0= se,
Xij=f(Xi,j_~) (1 < j < t)
(see Table 2.10). The ending points EP,. of the computation can thus be expressed:
EP,. = f t ( S P i) (1 <_ i _< m). The m pairs of values (SP,., EP,.) are stored in a table
sorted by the EP,.. The storage requirements for the table are S = O(m), and the
precomputation time is Tp = O(mt).
Given an intercepted ciphertext Co = EK(Mo), the search for K proceeds by
first looking for K in column t - 1, of the X's (see Table 2.10). If this fails, the
remaining columns are searched in the order t - 2, t - 3 . . . . ,0. Because the X's
are not stored in the table, they must be computed from the starting points as
described earlier.
To begin, }I1 = R(Co) is computed in order to reduce Co to 56 bits. Next, if Y1
= E P i for some i (1 <~ i ~< m), then Y~ = f(Xi,t-1). This implies that either K
= X~.,_~ or that f has more than one inverse. This latter event is called a "false
alarm." To determine whether X;.,_a is correct, it is used to encipher the chosen
plaintext M0; K = Xi, t-~ if and only if Ex~,t_l(Mo) = Co.
100 ENCRYPTION ALGORITHMS
Starting Ending
Points Points
f f f f f f
SP1 = Xlo ~ Xll ~ X12 ---~. • • ~ Xl,t-2 ~ X l , t - 1 ~ Xlt = EP,
.
o °
S P m = X m o - - ~ X r m - - ~ X m z - - ~ . . . --~Xm,t-z---~Xm,t-1---~Xmt = E P m
bit ending point E P , the total storage requirements are thus 1011 X 112 bits or
about 1013 bits, which can be stored on 10,000 tapes (assuming 109 bits per tape).
These can be read and searched in 1 day with 100 tape drives. Each tape drive
would have a 107 bit semiconductor memory for storing one table. Each memory
would have 100 DES chips searching for 100 different keys in parallel. The ma-
chine would also be capable of doing the precomputation; with all 10,000 DES
units operating in parallel, this would take about 1.1 years (using a DES chip
operating at 4 ~sec per encipherment).
The total parts would cost about $3.6M using 1980 technology. Depreciated
over 5 years, this is about $2500 per day, or $25 per solution. With decreasing
hardware costs, the cost per solution could drop to $1.
To break a cipher using time-memory tradeoff, it must be possible to per-
form a chosen-plaintext attack. This is possible when plaintext messages are
known to contain commonly occurring sequences (e.g., blanks) or standard head-
ers (e.g., "LOGIN:"), and each block is separately enciphered. Techniques such as
cipher block chaining (see Section 3.4.1) protect against this type of attack. The
proposed Federal standards suggest taking such precautions.
2.7 E X P O N E N T I A T I O N CIPHERS
M¢( n) m o d n = 1 .
Theorem 2.1:
Given e and d satisfying Eq. (2.4) and a message M ~ [0, n - 1] such that
g c d ( M , n) = 1,
( M e mod n) d mod n = M.
Proof"
We have
( M e mod n) d mod n = M ed mod n .
where:
M to(n) mod n = (Me,(n) rood n) t mod n
= It m o d n
= 1 .
Thus,
M ed rood n = ( M * 1) mod n
--M. i
It is because of this symmetry that the R S A scheme can be used for secrecy and
authenticity in a public-key system.
Given 4~(n), it is easy to generate a pair (e, d) satisfying Eq. (2.4). This is
done by first choosing d relatively prime to 4~(n), and then using the extended
version of Euclid's algorithm (see Figure 1.22 in Section 1.6.2) to compute its
inverse:
e = i n v ( d , oh(n)) . (2.5)
[Because e and d are symmetric, we could also pick e and compute d = inv(e,
~(n)).]
EXPONENTIATION CIPHERS 103
Given e, it is easy to compute d (or vice versa) if 4~(n) is known. But if e and
n can be released without giving away 4~(n) or d, then the deciphering transforma-
tion can be kept secret, while the enciphering transformation is made public. It is
the ability to hide 4~(n) that distinguishes the RSA scheme from the Pohlig-Hell-
man scheme.
Example:
L e t p = 11, whence 4~(P) = P - 1 = 10. Choose d = 7 and compute e
= i n v ( 7 , 10) = 3. Suppose M = 5. Then M is enciphered as:
C = M e mod p = 53 mod 11 = 4 .
Similarly, C is deciphered as"
M= C dmodp= 47mod 11 = 5 . m
entire computation would take only a few days. But if p is 664 bits long (200
decimal digits),
T= 1.2 X 10 z3,
which would take about 1012 days or several billion years. Figure 2.17 shows a
graph of log,0 T as a function of the length of p in bits. Techniques for picking
large primes are described in the next section.
Pohlig and Hellman also note that their scheme could be implemented in the
Galois Field GF(2,), where 2 " - 1 is a large prime (called a Mersenne prime--e.g.,
see [Knut69]). Such an implementation would be efficient and have the advantage
that all messages would be exactly n bits; furthermore, every element in the range
[ l , 2 n -- 2] could be used as a key.
In the RSA scheme, the modulus n is the product of two large primes p and q:
n=pq .
Thus
4~(n) = ( p - 1) ( q - 1)
(see Theorem 1.3 in Section 1.6.2). The enciphering and deciphering functions are
given by Eq. (2.2) and (2.3). Rivest, Shamir, and Adleman recommend picking d
relatively prime to 4~(n) in the interval [max (p, q) + 1, n - 1] (any prime in the
interval will do); e is computed using Eq. (2.5). If inv(d, cb(n)) returns e such that
e < log2 n, then a new value of d should be picked to ensure that every encrypted
message undergoes some wrap-around (reduction modulo n).
Example:
Letp=5andq=7, whencen=pq=35and¢(n)=(5- 1 ) ( 7 - 1) = 2 4 .
Pick d = 11. Then e = i n v ( l l , 24) = 11 (in fact, e and d will always be the
same for p = 5 and q = 7--see exercises at end of chapter). Suppose M = 2.
Then
C= Memodn= 211mod35 = 2 0 4 8 m o d 3 5 = 18 ,
and
C d mod n = 1811 mod 35 = 2 = M . I!
Example:
Let p = 53 and q = 61, whence n = 53 • 61 = 3233 and O(n) = 52
• 60 = 3120. Letting d = 791, we get e = 71. To encipher the message
M = R E N A I S S A N C E , we break it into blocks of 4 digits each, where A
= 00, B = 01 . . . . . Z = 25, and blank = 26 (in practice, characters would be
represented by their 8-bit ASCII codes). We thus get
EXPONENTIATION CIPHERS 105
25
20
15
o
10
! I I I I I 1 I I
0 100 200 300 400 500 600 700 800
Length of Modulus in Bits
M= RE NA IS SA NC E
= 1704 1300 0818 1800 1302 0426 .
The first block is enciphered as 170471 = 3106. The entire message is enci-
phered as
C=3106 0100 0931 2691 1984 2927 . !1
Because O(n) cannot be determined without knowing the prime factors p and
q, it is possible to keep d secret even if e and n are made public. This means that
the RSA scheme can be used for public-key encryption, where the enciphering
transformation is made public and the deciphering transformation is kept secret.
The security of the system depends on the difficulty of factoring n into p and
q. The fastest known factoring algorithm, due to Schroeppel (unpublished), takes
T = exp (sqrt ( I n (n)ln ( I n ( n ) ) ) )
i
106 ENCRYPTION ALGORITHMS
/a\
Algorithm J(a, b)" "Evaluate ~ ) "
ira= 1 thenJ'= 1
else if a mod 2 = 0 then begin
if(b,b- 1)/8mod2 = 0
then J := J(a/2, b) else J := -J(a/2, b) end
else i f ( a - 1), (b-1)/4mod2 = 0
then J := J(b rood a, a) else J := -J(b mod a, a)
steps. This is the same number of steps required to compute the discrete logarithm
in GF(n) when n is prime [see Eq. (2.6) and Figure 2.17]. Rivest, Shamir, and
Adleman suggest using 100-digit numbers for p and q; then n is 200 digits, and
factoring would take several billion years at the rate of one step per microsecond.
The security of the system also depends on using carefully selected primes p
and q. If n is 200 digits, then p and q should be large primes of approximately 100
digits each. To find a 100-digit prime p, Rivest, Shamir, and Adleman recommend
randomly generating numbers until a number b is found that is "probably" prime.
To test b for primality, 100 random numbers a ~ [1, b - 1] are generated. Then b
is almost certain to be prime if the following test (due to Solovay and Strassen
[Solo77]) is satisfied for each a:
To find a prime p such that p - 1 has a large prime factor, first generate a large
random prime p'. Then generate
p=i*p'+ 1, fori=2,4,6 .... (2.8)
until p is prime. Further protection may be obtained by picking p' such that p' - 1
has a large prime factor.
Simmons and Norris [Simm77] showed the scheme may be broken without
factoring if p and q are not carefully chosen. They found that for certain keys,
EXPONENTIATION CIPHERS 107
E A ( M ) = M eA mod nA ,
D A ( E A ( M ) ) = M eMA mod nA = M .
D A ( M ) = M dA mod nA ,
Because only A can apply D A, it cannot be forged, and a judge can settle any
dispute arising between A and B.
A slight difficulty arises when both secrecy and authenticity are desired,
because it is necessary to apply successive transformations with different moduli.
For example, in order for A to send a signed, secret message to B, A must
transmit:
C = EB(DA(M)).
C = EB2(DA, ( M ) ) ,
which is computable because hA1 < h < nB2. User B recovers M and checks A's
signature by computing
EAi(DB2(C) ) -- EAi(DB2(EB2(DAi(M) ) )
= EAi(DA~(M))
~ g.
EXPONENTIATION CIPHERS 109
Case 2: n A > n B
DB(EA(C')) = DB(EA(DA(EB(M))))
= DB(EB(M))
= g.
X = EB(M)
X' EA(C' )
= = EA(DA(EB(M)) )
using both A's and B's public transformations, and verifies that X = X'. Table
2.11 summarizes.
In the above approach, the storage requirements for a signed message are the
same as for the unsigned message. Thus, in applications where the unsigned mes-
sage is stored in the clear or as ciphertext encrypted by some other method, the
total storage requirements are twice that of the unsigned message alone. An alter-
native, described by Davies and Price [DavsS0], is to compress a message into a
"digest" by hashing, and then sign the digest. This reduces the storage require-
ments for a signed message to a fixed size block.
nA < nB nA > nB
A transmits C = EB(DA(M) ) C'= DA(EB(M) )
B computes M = EA(DB(C) ) M = DB(EA(C') )
B gives judge M, X = DB(C ) M, C'
Judge computes M' = EA(X ) X = EB(M ) , X' = EA(C' ) ,
Judge tests M' = M X = X'
110 ENCRYPTION ALGORITHMS
Shamir, Rivest, and Adleman [Sham80a] show how any commutative cipher can
be used to play a fair game of "mental poker". The scheme is easily implemented
with an exponentiation cipher, where the players share a common modulus n.
Mental poker is played like ordinary poker but without cards and without
verbal communication; all exchanges between the players must be accomplished
using messages. Any player may try to cheat. The requirements for a fair game are
as follows:
The game must begin with a "fair deal". Assuming the players have
exchanged a sequence of messages to accomplish this, then
a. The players should know the cards in their own hand but not the
others.
b, All hands must be disjoint.
C. All possible hands must be equally likely for each player.
During the game, players may want to draw additional cards from the re-
maining deck; these must also be dealt fairly as described in (1). Players
must also be able to reveal cards to their opponents without compromising
the security of their remaining cards.
At the end of the game, the players must be able to check that the game was
played fairly, and that their opponents did not cheat.
For simplicity, assume there are two players Alice and Bob, and each has a
secret key. The keys are not revealed until the end of the game.
Let E h and DA denote Alice's secret transformations, and let E B and Da de-
note Bob's. The enciphering transformations must commute; that is, for any mes-
sage M:
eA ( eB ( M) ) = EB( ( M) ) .
The 52 cards are represented by messages:
Mi" "two of clubs"
M2: "three of clubs"
0
Alice randomly selects 5 encrypted messages and returns them to Bob. Bob
deciphers them to determine his hand.
Alice randomly selects 5 more encrypted messages, C1, . . . , C5. She enci-
phers them with her key, getting
c/= i= 1,...,5.
She then sends the doubly enciphered messages C( . . . . . C~ to Bob.
,11, Bob deciphers each message C i' with his key, getting
for some message Mj. He returns these to Alice. She then deciphers them
with her key to determine her hand.
During the game, additional cards may be dealt by repeating the preceding proce-
dure. At the end of the game, both players reveal their keys to prove they did not
cheat.
Because exponentiation in modular arithmetic is commutative, mental poker
may be implemented with an exponentiation cipher. Bob and Alice agree on a
large modulus n with corresponding 4~(n). Alice picks a secret key (eA, d A) such
that eAdA mod 4~(n) = 1 and uses the transformations:
EA ( M ) = M eA mod n
DA ( M ) = M dA mod n.
Similarly, Bob picks a secret key (eB, dB) and uses the transformations:
E B ( M ) = M eB mod n
D B ( M ) = M an mod n.
Lipton [Lipt79a] shows that it may be possible to cheat using this encryption
method. One way uses quadratic residues. A number a is a quadratic residue
modulo n if gcd(a, n) = 1 and there exists an x such that
x 2 ~ - n a,
- -
or, equivalently,
x2modn =amodn;
otherwise, it is a quadratic nonresidue modulo n. Any x satisfying the preceding
equations is a square root of a modulo n. Let R2 denote the set of quadratic
residues modulo n. For any message M = a, enciphering (or deciphering) M
preserves its membership in R~ as shown by the following theorem:
Theorem 2.2:
Given a, 0 < a < n, a ~ R2 if and only if Eg(a) = a e rood n E R2, where
K = (e, n).
112 ENCRYPTION ALGORITHMS
Proof"
First, suppose a E R 2. T h e n x 2 mod n = a for some x. Because
Eg(a ) = a e mod n = (x2) e mod n = (xe) 2 mod n,
Eg(a ) is in R~.
Now, suppose Eg(a ) ~ R2. Because deciphering is the same oper-
ation as enciphering but with exponent d, (Eg(a))d rood n = a must
also be in R2. II
Example:
Let n = 11. Then 3 is a quadratic residue modulo 11 because 5 z mod 11 = 3.
Suppose e = 4. Then 34 mod 11 = 4 is also a quadratic residue because
2 2 m o d 11 = 4 . II
Alice can exploit this result by noting which cards have messages in R2.
After Bob has encrypted and shuffled these messages, she still cannot decipher
them. She can tell, however, which correspond to those in R2. If the modulus n is a
prime p (as in the Pohlig-Hellman scheme), the probability of a message being in
Rz is 1/2; this gives her one bit of information per card which could help her to
win. For example, if she observes that the plaintext messages for all four aces are
quadratic residues, she could select quadratic residues for her hand and quadratic
nonresidues for Bob's.
For prime p, half the numbers in the range [1, p - 1] are in R2 and half are
not. To prove this result, we first prove that the equation x z mod p = a has either
two solutions or no solutions. (See also [LeVe77,Nive72,Vino55].)
Theorem 2.3:
For p r i m e p > 2and0 <a <p,
x 2 m od p = a
Proof."
If a ~ Rz, there is at least one solution Xl. But then p - xl must also be a
solution because
Theorem 2.4:
For prime p > 2, there are (p - 1 ) / 2 quadratic residues modulo p and
(p - 1)/2 quadratic nonresidues.
EXPONENTIATION CIPHERS 113
Proof"
Clearly the (p - 1 ) / 2 residues
Example:
For p = 7, the quadratic residues are
12 m o d 7 = 1
2 z mod 7 = 4
32mod7 = 2. Bi
Theorem 2.5:
For p r i m e p > 2ando < a <p,
1 if a ~ R 2
a(p-1)/2 rood p = p - 1 otherwise (2.9)
Proofi
By Fermat's T h e o r e m ,
(ap-'- 1) m o d p = 0 .
Example:
We saw earlier that 1, 2, and 4 are quadratic residues modulo p = 7. We can
verify this by computing a(7-')/2 rood 7 - a 8 rood 7 for a = 1, 2, 4:
18 mod 7 = 1
2 3 mod 7 = 1
4 8 mod 7 = 1 .
Similarly, we can verify that a = 2, 3, and 5 are quadratic nonresidues by
computing
32 mod 7 = 6
58mod 7 --- 6
68 mod 7 = 6 . I
Note the relationship between Eq. (2.9) and Eq. (2.7), which is used to test a
number b for primality by checking whether
for some random a relatively prime to b. If b is a prime p, then the Jacobi symbol
( ~ ) is equivalent by the Legendre symbol, also denoted ( ; ) , which is defined by
prime, let b = PlPz • • • Pt be the prime factorization of b (factors may repeat). Then
the Jacobi symbol (-~) is defined in terms of the Legendre symbol as follows:
(~) (a) ( a ) ( a )
=yx y~ " ~ •
Note that whereas the Jacobi symbol is always congruent to _+ 1 (mod b), the
expression a(b-1)/z mod b may not be congruent to _+ 1 when b is not prime.
Example:
For n = 9 and a = 2, 2 4 mod 9 = 7. II
evaluated without knowing the factors. The recursive function J(a, b) given in the
previous section for evaluating ( b ) does so by exploiting several properties of the
Jacobi symbol, namely:
1. (b)=l .
3. ( 2 ) - ( - 1)(bZ-a)/8 .
4. (~)= (b mOda a ) .
if gcd(a, b) = 1 .
a = x z mod n . (2.10)
.
Alice, knowing p and q, computes the four roots of a: x, n - x, y, n - y (see
discussion following). She picks one of these roots at r a n d o m and sends it to
Bob.
.
If Bob receives y or n - y, he can determine p and q from x and y by
computing
g c d ( x + y, n) = p or q
Equation (2.10) has four roots because n has two distinct prime factors. By
T h e o r e m 1.7, we know that any solution x of Eq. (2.10) must be a common
solution of
By T h e o r e m 2.3, Eq. (2.11) has two solutions: Xl and p - X l , and Eq. (2.12) has
two solutions: x2 and q - x2. The four solutions of Eq. (2.10) are thus obtained
using the Chinese R e m a i n d e r T h e o r e m ( T h e o r e m 1.8).
Now, finding the solutions of Eq. (2.11) and (2.12) is particularly easy if
p + 1 and q + 1 are divisible by 4. Observe that
(a(P+l)/4) 2 -- a(P+l)/2 mod p = a(a(p-1)/2) mod p = a .
The last equality holds because a is a quadratic residue modulo p; thus, by Theo-
rem 2.5, alp-l)~ 2 mod p = 1. This gives us the two solutions:
x~ = a~p+~)/4 mod p
X 2 = a(q+l)/4 mod q .
N o t e that Bob cannot find the root y of Eq. (2.10) without knowing p and q. If he
accidentally picks an x that is a multiple of p or q, he can compute g c d ( x , n) = p
or q, but the probability of this happening is small for large p and q.
Example:
Let p = 3 and q = 7. Then n = p q = 21. Suppose Bob picks x = 5 and sends
to Alice
a= 52mod21 = 4 .
Zl = c r t ( n , p , q, xi, x2) = 16
z2 = c r t ( n , p , q, Xl, q - x2) = 19
z8 = c r t ( n , p , q, p - x i , x2) = 2
z4 -'- c r t ( n , p , q, p - x l , q - x2) = 5 .
g c d ( x + y , n) = g o d ( 5 + 19, 21)
=gcd(24,21) = 3 =p .
n 21
q p 3 7. II
The oblivious transfer protocol can be used to flip coins by telephone, ex-
change secrets, and send certified mail [Blum81a,Rabi81,Blum81b]. We shall
describe the protocol for coin flipping by telephone. The problem here is to devise
a scheme whereby Bob can call H E A D S or TAILS and Alice can flip in such a
way that each has a 50% chance of winning. Flipping a real coin over the tele-
phone is clearly unsatisfactory because if Bob calls H E A D S , Alice can simply say
"Sorry, TAILS." The solution given by Blum [Blum8 l a] is as follows:
Merkle and Hellman [Merk78] proposed a scheme whose security depends on the
difficulty of solving the following 0 - 1 knapsack problem"
Example:
L e t n = 5, C = 14, a n d A = (1, 10, 5, 22, 3). Then M = (1, 1 , 0 , 0 , 1) i s a
solution. II
and, f o r i = n - 1, n - 2 . . . . , 1,
n
(C- Z m j a j ) >_ a i .
j=i+l
An algorithm for solving simple knapsacks is shown in Figure 2.19.
.// .
KNAPSACK CIPHERS 1 19
Example:
Rearranging the elements of the vector in the preceding example to give A'
= (1, 3, 5, 10, 22) shows that A' is a simple knapsack vector, whence
s n a p ( 1 4 , A') gives the solution (1, 1, 0, 1, 0). m
Merkle and Hellman show how to convert a simple knapsack into a trapdoor
knapsack that is hard to solve without additional information. First, a simple
knapsack vector A' = (ai', . • . , a,~) is selected. This allows an easy solution to a
problem C' = A ' M . Next, an integer u is chosen such that
n
u > 2 a 'n > ~a i' .
i=1
Then an integer w is chosen such that g c d ( u , w) = 1, and the inverse w -1 of w
mod u is computed using w -1 = inv(w, u) (see Section 1.6.2). Finally, the vector A'
is transformed into a hard knapsack vector A = w A ' mod u; that is,
a i = w * a i' mod u .
= A'M.
C is deciphered by computing
DA(C ) = s n a p ( w - I f mod u, A') = M .
Example:
Let A' = (1, 3, 5, 10), u = 20, and w = 7. Then w -1 ---- 3. The simple vector
A' is transformed into the "hard" vector
A=(7. 1 mod20,7.3mod20,7* 5mod20,7. 10mod20)
= (7, 1, 15, 1 0 ).
Let M = 13, which is the binary vector (1, 1, 0, 1).
120 ENCRYPTION ALGORITHMS
Then
C = EA(M ) = 7 + 1 + 10 = 18,
and
DA(C) = DA(18)
= snap(3 • 18 mod 20, A') = snap(14, A')
=(1,1,0,1)
=13. m
suggested previously). The first strategy fails because the deciphering algorithm
becomes ambiguous when t < n, and the scheme is insecure when t is sufficiently
small. To implement the second strategy, an n-bit message M is broken into d
multi-bit chunks ml . . . . , md such that each coefficient m i in Eq. (2.13) is n / d bits,
and only d elements a~ are needed. This strategy also fails because such "compact
knapsacks" are easier to solve than 0-1 knapsacks.
Enciphering and deciphering are faster, however, than in the RSA scheme.
For n = 200, enciphering requires at most 200 additions, while deciphering re-
quires at most 200 subtractions plus one multiplication in modular arithmetic. In
contrast, the RSA scheme requires about 1000 multiplications in modular arith-
metic to encipher and decipher. Henry [Henr81] presents a fast knapsack decryp-
tion algorithm that optimizes the evaluation of
Since the terms in parentheses are independent of C, they can be precomputed and
stored in a table. Computation of C' thus reduces to a sequence of at most n table
lookups and n - 1 additions, followed by a single reduction mod u. The reduction
mod u is "easy" in that the sum can be no larger than nu.
C'= (R,M,S) ,
where R = ~j~l Rjmj and S = ~j~l Sjmj. Notice that the vector of bit strings
( ( I n, an), (11, Sx)) (i.e., the elements aj listed in reverse order and without the
.,
Rj's) is a simple knapsack vector. The Rj's are added to obscure this property.
These knapsacks are even easier to solve than Merkle-Hellman trapdoor knap-
sacks, however, because M can be extracted directly from the binary representa-
tion of C'.
122 ABFDEFGHIIJKLMMNOHPP
Example:
Let n = 5 where A' is given by
j R/ ~ Sj
1 011010 10000 000101 =a(
2 001001 01000 000011 =a~
3 010010 00100 000100 =a~
4 011000 00010 000111 =a~
5 000110 00001 000001 = a~
Let M = (0, 1, 0, 0, 1). Then
C' = A ' M
= a2 + a~
= (Rz + R~, Iz + 15, Sz + S5)
=001111 01001 000100 . ll
Unlike the RSA exponentiation scheme, the trapdoor knapsack schemes cannot be
used for authentication. The reason is that the enciphering function is not "onto"
the entire message space; thus, certain messages (indeed most!) cannot be deci-
phered before they are enciphered.
Shamir [Sham78a] shows how a trapdoor knapsack can be constructed to
provide digital signatures. Shamir's knapsacks, however, cannot be used for secre-
cy. The scheme is based on the following NP-complete knapsack problem, which is
also an extension of the one defined by Karp [Karp72].
2k
M= ~ cjaj mod n , (2.14)
j=l
where each cj is an integer in the range [0, log n].
range [0, n - 1], and C is the signature of M. The recipient of a pair (M, C) can
validate the signature by checking that
E A(C) = C A m o d n = M .
But the recipient cannot forge a signature for another message M ' without solving
the knapsack problem. The signer, however, has secret trapdoor information for
generating a signature C = D A ( M ) .
The secret trapdoor information is a k X 2k binary matrix H whose values
are chosen at random. The vector A is constructed to satisfy the following system
of modular linear equations:
20
h1,1 " " " h~,2k al
h~,~ ... h2,2k az 21
° = . mod n ,
° °
giving
2k
E hijaj = 2i-1 mod n i= 1,...,k .
j=l
Because there are only k equations in 2k unknowns, k values of A can be chosen at
random, and the remaining values determined by solving the preceding system.
Let M be a message, and let M = (ml . . . . , ink) be the reversal of M in
binary (i.e., m i is the ith low-order bit in M, 1 ~ i ~ k). M is signed by computing
m
C = DA(M) = MH,
whence
k
cj= ~mihij (1 ~ j ~ 2k) .
i=1
2k
EA(C ) = CA mod n = ~ Q a j m o d n
j=l
= E ~mihij ajmodn
j=l i=1
= ~m i ~hija j modn
i=1 j=l
124 ENCRYPTION ALGORITHMS
k
= ~ mi2i-' mod n
i=1
=M.
Example:
Let k = 3 and n = 7. This will allow us to sign messages in the range [0, 6].
Let H be as follows:
ll 010011
n 011101
101110
and pick al = 1, a2 = 2, and a~ = 3. Solving for the remaining values of A, we
get a4 = 0, a~ = 0, and a6 = 4, whence A = (1, 2, 3, 0, 0, 4). Let M = 3;
because this is 011 in binary, M = (1, 1, 0). The signature C is thus:
m
C= MH
=(11 O)
i, OlOO,l
011101
101110
= ( 1 , 1,2, 1 , 0 , 2 ) .
To validate C we compute
CA mod 7 = [(1, 1, 2, 1, 0, 2) (1, 2, 3, 0, 0, 4)] mod 7
=[l+2+6+0+0+8]mod7
= 17 m o d 7
=3. I
The signing procedure thus far is insecure, because someone might be able to
determine H by examining enough (M, C) pairs. To prevent this, messages are
randomized before they are signed. This is done using a random binary vector
R = (r 1 rzk). First,
. . . . ,
Example:
Let k, n, H, A, and M be as before, and let R = (1, 0, 0, 0, 1, 1). Then
M" = ( M - R A ) mod n
= (3 - [(1, 0, 0, 0, 1, 1) (I, 2, 3, 0, 0, 4)] mod 7
=(3- [1 + 0 + 0 + 0 + 0 + 4 ] ) m o d 7
=(3- 5) m o d 7 = - 2 m o d 7
----5,
and
C=M'Hmodn= ( 2 , 0 , 2 , 1, 1, 1) .
The signature of M is thus
C=C'+R=(2,0,2,1,1,1)+(1,0,0,0,1,1)
=(3,0,2,1,2,2),
which the reader should verify is also valid. II
n
S = A ( K e R) = ~ ai(k i ~ r i) .
i=1
C= (L,R),whereL=MeS .
126 ENCRYPTION ALGORITHMS
Because the last n bits of C contain R, a receiver knowing K and A can compute S
and exclusive-or it with L (the first t bits of C) to recover M.
A cryptanalyst, knowing A and a single (M, C) pair, can find S by
computing
L~ M- (M~S) ~ M= S .
K ~ R i = K + R i - 2(K * R i )
=R;+ K * U/. ,
where multiplication (.) is componentwise. This leads to the system of equations
S i -- A ( K ~ Ri)
= A ( R i + K , Ui)
= A R i + (Ui * A ) K i= 1, . . . , n .
00 L
Thus the system is readily solved for K when the Ui are linearly independent and
the a i positive. The probability of N >~ n pairs (M;, C;) containing a subset of n
linearly independent U i is bounded below by approximately 1/3 for N = n, and
quickly approaches 1 as N increases.
This example shows that it is not enough to base a cipher on a computation-
ally hard problem. It is necessary to show that the cipher cannot be broken under
any form of attack. The weakness in the scheme is caused by the linear relation-
ship between the plaintext and ciphertext, which does not hold in the other knap-
sack schemes.
EXERCISES
15 20
17 9)
with the Hill cipher. (The plaintext is a two-letter word of English).
2.6 Solve the cipher of Figures 2.8-2.10 by finding the remaining two key char-
acters and deciphering the text.
2.7 Consider a linear substitution cipher that uses the transformation f ( a ) = ak
mod 26. Suppose it is suspected that the plaintext letter J (9) corresponds to
the ciphertext letter P (15); i.e., 9k mod 26 = 15. Break the cipher by solving
for k.
2.8 Consider an affine substitution cipher using the transformation f ( a ) = (akl
+ k0) mod 26. Suppose it is suspected that the plaintext letter E (4) corre-
sponds to the ciphertext letter F (5) and that the plaintext letter H (7)
corresponds to the ciphertext letter W (22). Break the cipher by solving for
kl and k0.
2.9 Determine the unicity distance of ciphers based on affine transformations of
the form f ( a ) = (akl + ko) mod 26. Assume the keys k0 and kl generate a
complete set of residues, and that all such keys are equally likely.
2.10 Consider a homophonic cipher that uses 26h ciphertext symbols, assigning h
homophones to each letter of the English alphabet. Determine the number of
possible keys (i.e., assignments of homophones), and use your result to calcu-
late the unicity distance of the cipher.
2.11 Suppose that the keys used with DES consist only of the letters A - Z and are
8 letters long. Give an approximation of the length of time it would take to
try all such keys using exhaustive search, assuming each key can be tested in
one tzsec. Do the same for keys 8 letters or digits long.
2.12 Let X' denote the bit-by-bit complement of a block X. Show that if C
= DESK(M ), then C' = DESK,(M'). Explain how this property can be
exploited in a chosen-plaintext attack to reduce the search effort by roughly
50%. (Hint: Obtain the ciphertext for a plaintext M and its complement M'.)
(This symmetry in the DES was reported in [Hell76].)
2.13 Consider the RSA encryption scheme with public keys n = 55 and e = 7.
Encipher the plaintext M = 10. Break the cipher by finding p, q, and d.
Decipher the ciphertext C = 35.
2.14 Consider the Pohlig-Hellman exponentiation cipher, where
128 ENCRYPTION ALGORITHMS
E K ( M ) = M e mod p ( x )
DK(C ) = C a mod p ( x ) ,
e = 5, d = 3, p ( x ) = (x 3 + x + 1), and exponentiation is performed in the
field GF(2~). Because ¢(p) = 7 (see Section 1.6.3), ed mod ¢(p) = 1. Let M
= x 2 + 1 = 101 in binary. C o m p u t e C = E K ( M ). C o m p u t e DK(C), showing
that deciphering restores M.
2.15 Consider the R S A encryption scheme with n = pq, where p = 5 and q = 7.
Prove that all keys d and e in the range [0, ¢ ( n ) - 1] must satisfy the
equality d = e.
2.16 Consider the equations
x mod p = x~ or p - xx
x mod q = x2 or q - x2 ,
where n = p q for primes p and q. T h e r e are four common solutions, given by
C = M ( M + b) mod n ,
where b and n are public and n = p q for secret primes p and q. Give a
deciphering algorithm for the case where p + 1 and q + 1 are divisible by 4.
(Hint." compute d such that 2d mod n = b. Then
2.21 Suppose that the public key for a M e r k l e - H e l l m a n knapsack system is given
by the vector A = (17, 34, 2, 21, 41), and that the ciphertext C = 72 resulted
from enciphering some n u m b e r M with A. The secret key is given by the
values u = 50 and w = 17. Find M by deciphering C.
2.22 Consider S h a m i r ' s signature-only knapsack scheme, and let n = 7 and
n 010010
000001
REFERENCES 129
Given al = 1, a2 = 2, and a3 = 3, compute a4, as, and a6. Sign the message M
= 3, first without randomizing, and then using the random vector R = (0, 1,
0, 1, 0, 1). Check the validity of both signatures,
2.23 Class Computer Project:
Teacher." Write a program to encipher a reasonably long message using a
Vigen~re or Beaufort cipher. (Optional: provide programs to compute the
index of coincidence IC and print histograms of letter frequencies.)
Students: Break the cipher using the computer to analyze the ciphertext and
to decipher the message.
2.24 Class Computer Project: Implement the DES.
Teacher: Write programs to convert ASCII character sequences into 64-bit
blocks and vice versa. Each 64-bit block can be represented internally as a
bit or character array of 'l's and 'O's so the bits are easily addressed; it can
be represented externally as a record containing 64 characters ('l's and '0's).
Create a file containing the data for the DES tables. Implement the DES,
and encipher a message for the students. Give the students a skeleton of your
program containing the declarations and statements used to input the DES
tables.
Students: Complete the program and decipher the message.
2.25 Class Computer Project." Implement the RSA scheme using a 7-digit num-
ber n (this can be guaranteed by picking p and q in the range [1000, 3162])
and 6-digit data blocks.
Teacher: Write programs to convert character streams into 6-digit blocks
and vice versa (assign a 2-digit number to each character).
Students: Generate keys. Exchange public keys and messages.
2.26 Class Computer Project: Implement one of the trapdoor knapsack encryp-
tion schemes.
REFERENCES
Adle79. Adleman, L., "A Subexponential Algorithm for the Discrete Logarithm Problem
with Applications to Cryptography," Proc. IEEE 20th Annual Syrup. on Found. of
Comp. Sci., pp. 55-60 (Oct. 1979).
Bark77. Barker, W. G., Cryptanalysis of the Hagelin Cryptograph, Aegean Park Press,
Laguna Hill, Calif. (1977).
Bea178. "The Beale Ciphers," The Beale Cypher Assoc., Medfield, Mass. (1978).
Blak78. Blakley, B. and Blakley, G. R., "Security of Number Theoretic Public Key Crypto-
systems Against Random Attack," Cryptologia. In three parts: Part I: Vol. 2, No. 4
(Oct. 1978), pp. 305-321; Part II: Vol. 3, No. 1 (Jan. 1979), pp. 29-42; Part III: Vol.
3, No. 2 (Apr. 1979), pp. 105-118.
Blak79. Blakley, G. R. and Borosh, I., "Rivest-Shamir-Adleman Public Key Cryptosystems
Do Not Always Conceal Messages," Comp. & Math. with Applic. Vol. 5 pp. 169-
178 (1979).
Blum81a. Blum, M., "Three Applications of the Oblivious Transfer: 1. Coin Flipping by
Telephone, 2. How to Exchange Secrets, 3. How to Send Certified Electronic Mail,"
Dept. EECS, Univ. of California, Berkeley, Calif. (1981).
130 ENCRYPTION ALGORITHMS
Blum81b. Blum, M. and Rabin, M. O., "How to Send Certified Electronic Mail," Dept.
EECS, Univ. of California, Berkeley, Calif. (1981).
Bran79. Branstad, D., "Hellman's Data Does Not Support His Conclusion," IEEE Spec-
trum Vol. 16(7) p. 41 (July 1979).
Davi79. Davida, G. I., "Hellman's Scheme Breaks DES in its Basic Form," IEEE Spec-
trum Vol. 16(7) p. 39 (July 1979).
Days80. Davies, D. W. and Price, W. L., "The Application of Digital Signatures Based on
Public Key Cryptosystems," NPL Report DNACS 39/80, National Physical Lab.,
Teddington, Middlesex, England (Dec. 1980).
Deav80a. Deavours, C. A., "The Black Chamber: A Column; How the British Broke Enig-
ma," Cryptologia Vol. 4(3) pp. 129-132 (July 1980).
Deav80b. Deavours, C. A., "The Black Chamber: A Column; La Methode des Batons,"
Cryptologia Vol. 4(4) pp. 240-247 (Oct. 1980).
Diff76. Diffie, W. and Hellman, M., "New Directions in Cryptography," IEEE Trans. on
Info. Theory Vol. IT-22(6) pp. 644-654 (Nov. 1976).
Diff77. Diffie, W. and Hellman, M., "Exhaustive Cryptanalysis of the NBS Data Encryp-
tion Standard," Computer Vol. 10(6) pp. 74-84 (June 1977).
Diff79. Diffie, W. and Hellman, M., "Privacy and Authentication: An Introduction to
Cryptography," Proc. IEEE Vol. 67(3) pp. 397-427 (Mar. 1979).
Diff81. Diffie, W., "Cryptographic Technology: Fifteen Year Forecast," BNR Inc., Moun-
tain View, Calif. (Jan. 1981).
Feis70. Feistel, H., "Cryptographic Coding for Data-Bank Privacy," RC-2827, T. J. Wat-
son Research Center, Yorktown Heights, N.Y. (Mar. 1970).
Feis73. Feistel, H., "Cryptography and Computer Privacy," Sci. Am. Vol. 228(5) pp. 15-
23 (May 1973).
Feis75. Feistel, H., Notz, W. A., and Smith, J., "Some Cryptographic Techniques for
Machine to Machine Data Communications," Proc. IEEE Vol. 63(11) pp. 1545-
1554 (Nov. 1975).
Friel8. Friedman, W. E, "Methods for the Solution of Running-Key Ciphers," Riverbank
Publication No. 16, Riverbank Labs, Geneva, Ill. (1918).
Frie20. Friedman, W. E, "The Index of Coincidence and Its Applications in Cryptogra-
phy," Riverbank Publication No. 22, Riverbank Labs., Geneva, Ill. (1920).
Frie67. Friedman, W. E, "Cryptology," Encyclopedia Britannica Vol. 6 pp. 844-851
(1967).
Gain56. Gaines, H. E, Cryptanalysis, Dover, New York (1956).
Gard77. Gardner, M., "Mathematical Games," Sci. Am. Vol. 237(2) pp. 120-124 (Aug.
1977).
Gill80. Gillogly, J. J., "The Beale Ciphers: A Dissenting Opinion," Cryptologia Vol. 4(2)
pp. 116-119 (Apr. 1980).
Hamm71. Hammer, C., "Signature Simulation and Certain Cryptographic Codes," Comm.
ACM Vol. 14(1 ) pp. 3-14 (Jan. 1971).
Hamm79. Hammer, C., "How Did TJB Encode B2?" Cryptologia Vol. 3(1) pp. 9-15 (Jan.
1979).
Hamm81. Hammer, C., "High Order Homophonic Ciphers," Cryptologia Vol. 5(4) pp.
231-242, (Oct. 1981).
Hell76. Hellman, M., Merkle, R., Schroeppel, R., Washington, L., Diffie, W., Pohlig, S.,
and Schweitzer, P., "Results of an Initial Attempt to Cryptanalyze the NBS Data
Encryption Standard," Information Systems Lab., Dept. of Electrical Eng., Stanford
Univ. (1976).
REFERENCES 131
Hell79. Hellman, M. E., "DES Will Be Totally Insecure Within Ten Years," IEEE Spec-
trum Vol. 16(7) pp. 32-39 (July 1979).
Hell80. Hellman, M. E., "A Cryptanalytic Time-Memory Tradeoff," IEEE Trans. on Info.
Theory Vol. IT-26(4) pp. 401-406 (July 1980).
Henr81. Henry, P. S., "Fast Decryption Algorithm for the Knapsack Cryptographic Sys-
tem," Bell System Tech. J., Vol. 60 (5) pp. 767-773 (May-June 1981).
Hill 29. Hill, L. S., "Cryptography in an Algebraic Alphabet," Am. Math. Monthly Vol. 36
pp. 306-312 (June-July 1929).
Kahn67. Kahn, D., The Codebreakers, Macmillan Co., New York (1967).
Kam78. Kam, J. B. and Davida, G. I., "A Structured Design of Substitution-Permutation
Encryption Networks," pp. 95-113 in Foundations of Secure Computation, ed. R. A.
DeMillo et al., Academic Press, New York (1978).
Karp72. Karp, R. M., "Reducibility Among Combinatorial Problems," pp. 85-104 in Com-
plexity of Computer Computations, ed. R. E. Miller and J. W. Thatcher, Plenum
Press, New York (1972).
Kasi63. Kasiski, E W., Die Geheimschriften und die Dechiffrir-kunst, Mittler & Son
(1863).
Knut69. Knuth, D., The Art of Computer Programming," Vol. 2, Seminumerical Algo-
rithms, Addison-Wesley, Reading, Mass. (1969).
Konf78. Konfelder, L. M., "On the Signature Reblocking Problem in Public-Key Crypto-
systems," Comm. ACM Vol. 21(2) p. 179 (Feb. 1978).
Konh81. Konheim, A. G., Cryptography: A Primer, John Wiley & Sons, New York (1981 ).
Kowa80. Kowalchuk, J., Shanning, B. P., and Powers, S. A., "Communications Privacy:
Integration of Public and Secret Key Cryptography," Proc. Nat'l. Telecommunica-
tions Conf., pp. 49.1.1-49.1.5 (Dec. 1980).
Kruh77. Kruh, L., "The Churchyard Ciphers," Cryptologia Vol. 1(4) pp. 372-375 (Oct.
1977).
Lemp79. Lempel, A., "Cryptology in Transition," Computing Surveys Vol. 11 (4) pp. 285-
303 (Dec. 1979).
LeVe77. LeVeque, W. J., Fundamentals of Number Theory, Addison-Wesley, Reading,
Mass. (1977).
Lipt79a. Lipton, R. J., "How to Cheat at Mental Poker," Comp. Sci., Dept. Univ. of Calif.,
Berkeley, Calif. (Aug. 1979).
Lipt79b. Lipton, R. J., "An Improved Power Encryption Method," Comp. Sci., Dept. Univ.
of Calif., Berkeley, Calif. (Aug. 1979).
Mel173. Mellen, G. E., "Cryptology, Computers, and Common Sense," pp. 569-579 in
Proc. NCC, Vol. 42, AFIPS Press, Montvale, N.J. (1973).
Merk78. Merkle, R. C. and Hellman, M. E., "Hiding Information and Signatures in Trap-
door Knapsacks," IEEE Trans. on lnfo. Theory Vol. IT-24(5) pp. 525-530 (Sept.
1978).
Merk81. Merkle, R. C. and Hellman, M. E., "On the Security of Multiple Encryption,"
Comm. ACM Vol. 27(7) pp. 465-467 (July 1981).
Mort77. Morris, R., Sloane, N. J. A., and Wyner, A. D., "Assessment of the National
Bureau of Standards Proposed Federal Data Encryption Standard," Cryptologia Vol.
1(3) pp. 281-291 (July 1977).
NBS77. "Data Encryption Standard," FIPS PUB 46, National Bureau of Standards,
Washington, D.C. (Jan. 1977).
Nive72. Niven, I. and Zuckerman, H. S., An Introduction to the Theory of Numbers, John
Wiley & Sons, New York (1972).
132 ENCRYPTION ALGORITHMS
Pele79. Peleg, S. and Rosenfeld, A., "Breaking Substitution Ciphers Using a Relaxation
Algorithm," Comm. ACM Vol. 22(11) pp. 598-605 (Nov. 1979).
Poh178a. Pohlig, S. and Hellman, M., "An Improved Algorithm for Computing Logarithms
over GF(p) and its Cryptographic Significance," IEEE Trans. on Info. Theory Vol.
IT-24(1) pp. 106-110 (Jan. 1978).
Poh178b. Pohlig, S., "Bounds on a Class of Easily Solved Knapsacks," MIT Lincoln Lab.,
Lexington, Mass. (1978).
Prat42. Pratt, E, Secret and Urgent, Blue Ribbon Books, Garden City, N.Y. (1942).
Rabi79. Rabin, M. O., "Digitalized Signatures and Public-Key Functions as Intractable as
Factorization," MIT/LCS/TR-212, MIT Lab. for Computer Science, Cambridge,
Mass. (Jan. 1979).
Rabi81. Rabin, M. O., "Exchange of Secrets," Dept. of Applied Physics, Harvard Univ.,
Cambridge, Mass. ( 1981 ).
Rive78a. Rivest, R. L., Shamir, A., and Adleman, L., "A Method for Obtaining Digital
Signatures and Public-Key Cryptosystems," Comm. ACM Vol. 21(2) pp. 120-126
(Feb. 1978).
Rive78b. Rivest, R. L., "Remarks on a Proposed Cryptanalytic Attack of the M.I.T. Public
Key Cryptosystem," Cryptologia Vol. 2(1)pp. 62-65 (Jan. 1978).
Rive80. Rivest, R. L., "A Description of a Single-Chip Implementation of the RSA Ci-
pher," Lambda Vol. 1(3) pp. 14-18 (1980).
Rive81. Rivest, R. L., "Statistical Analysis of the Hagelin Cryptograph," Cryptologia Vol.
5(1) pp. 27-32 (Jan. 1981 ).
Sam79. Sam, E., "Musical Cryptography," Cryptologia Vol. 3(4) pp. 193-201 (Oct. 1979).
Schr79. Schroeppel, R. and Shamir, A., "A TS ~ = O(2 n) Time/Space Tradeoff for Certain
NP-Complete Problems," Proc. IEEE 20th Annual Syrup. on Found. of Comp. Sci.,
(Oct. 1979).
Sham78. Shamir, A., "A Fast Signature Scheme," MIT/LCS/TM-107, MIT Lab. for
Computer Science, Cambridge, Mass. (July 1978).
Sham79. Shamir, A., "On the Cryptocomplexity of Knapsack Systems," Proc. l lth Annual
ACM Syrup. on the Theory of Computing, pp. 118-129 (1979).
Sham80a. Shamir, A., Rivest, R. L., and Adleman, L. M., "Mental Poker," in The Math-
ematical Gardner, ed. D. Klarner, Prindle, Weber & Schmidt, Boston, Mass. (1980).
Sham80b. Shamir, A., "The Cryptographic Security of Compact Knapsacks (Preliminary
Report)," pp. 94-99 in Proc. 1980 Syrup. on Security and Privacy, IEEE Computer
Society (Apr. 1980).
Sham80c. Shamir, A. and Zippel, R. E., "On the Security of the Merkle-Hellman Crypto-
graphic Scheme," IEEE Trans. on Info. Theory Vol. IT-26(3) pp. 339-40 (May
1980).
Shan49. Shannon, C. E., "Communication Theory of Secrecy Systems," Bell Syst. Tech. J.
Vol. 28 pp. 656-715 (Oct. 1949).
Simm77. Simmons, G. J. and Norris, J. N., "Preliminary Comments on the M.I.T. Public
Key Cryptosystem," Cryptologia Voi. 1(4) pp. 406-414 (Oct. 1977).
Sink66. Sinkov, A., Elementary Cryptanalysis, Math. Assoc. Am. (1966).
Solo77. Solovay, R. and Strassen, V., "A Fast Monte-Carlo Test for Primality," S I A M J.
Computing Vol. 6 pp. 84-85 (Mar. 1977).
Stah73. Stahl, E A., "A Homophonic Cipher for Computational Cryptography," pp. 565-
568 in Proc. NCC, Vol. 42, AFIPS Press, Montvale, N.J. (1973).
Suga79. Sugarman, R., "On Foiling Computer Crime," IEEE Spectrum Vol. 16(7) pp. 31-
32 (July 1979).
REFERENCES 13 3
Tuch79. Tuchman, W., "Hellman Presents No Shortcut Solutions to the DES," IEEE
Spectrum Vol. 16(7) pp. 40-41 (July 1979).
Vino55. Vinogradov, I. M., An Introduction to the Theory of Numbers, Pergamon Press,
Elmsford, N.Y. (1955).
Ward85. Ward, J. B., The Beale Papers, Pamphlet printed by Virginian Book and Job
Print; reprinted by The Beale Cypher Assoc., Medfield, Mass. (1885).
Will80. Williams, H. C., "A Modification of the RSA Public-Key Encryption Algorithm,"
IEEE Trans. on Info. Theory Vol. IT-26(6) pp. 726-729 (Nov. 1980).
,3
Cryptographic Techniques
Let M be a plaintext message. A block cipher breaks M into successive blocks Ma,
M2 . . . . . and enciphers each M 1 with the same key K; that is,
135
136 CRYPTOGRAPHIC TECHNIQUES
A stream cipher is periodic if the key stream repeats after d characters, for some
fixed d; otherwise, it is nonperiodic. Ciphers generated by Rotor and Hagelin
machines are periodic stream ciphers. The Vernam cipher (one-time pad) and
running-key ciphers are nonperiodic stream ciphers.
A periodic substitution cipher with a short period (e.g., Vigen6re cipher) is
normally regarded as a stream cipher because plaintext characters are enciphered
one by one, and adjacent characters are enciphered with a different part of the
key. But it has characteristics in common with both types of ciphers. Let K = k l k z
. . . k a, where d is the period of the cipher. The cipher can be regarded as a block
cipher, where each M i is a block of d letters:
EK(M ) = EK(M1)EK(Mz)... ,
or as a stream cipher, where each m i is one letter, and K is repeated in the key
stream; that is, the key stream is:
K K K
k, . . . kd k~ . . . k d kl . . . kd . . .
For short periods, the cipher is more like a block cipher than a stream cipher, but
it is a weak block cipher because the characters are not diffused over the entire
block. As the length of the period increases, the cipher becomes more like a stream
cipher.
There are two different approaches to stream encryption: synchronous meth-
ods and self-synchronous methods (see Table 3.2). In a synchronous stream cipher,
the key stream is generated independently of the message stream. This means that
if a ciphertext character is lost during transmission, the sender and receiver must
Self-synchronous methods
Autokey cipher
Cipher feedback mode
synchronization l o s t synchronization
restored
•. " ! .
1 . .
J ' ' '
incorrectly
deciphered
error correctly
occurs deciphered
resynchronize their key generators before they can proceed further. Furthermore,
this must be done in a way that ensures no part of the key stream is repeated (thus
the key generator should not be reset to an earlier state). All the stream ciphers we
have discussed so far are synchronous. Section 3.2 describes three methods better
suited for digital computers and communications: Linear Feedback Shift Regis-
ters, output-block feedback mode, and the counter method. These ciphers are also
periodic.
In a self-synchronous stream cipher, each key character is derived from a
fixed number n of preceding ciphertext characters. Thus, if a ciphertext character
is lost or altered during transmission, the error propagates forward for n charac-
ters, but the cipher resynchronizes by itself after n correct ciphertext characters
have been received (see Figure 3.1). Section 3.3 describes two self-synchronous
stream ciphers: autokey ciphers and cipher feedback mode. Self-synchronous
stream ciphers are nonperiodic because each key character is functionally depen-
dent on the entire preceding message stream.
Even though self-synchronous stream ciphers do not require resynchroniza-
tion when errors occur, transmission errors cannot be ignored. The errors could be
a sign of active wiretapping on the channel. Even if the errors are not caused by
wiretapping, retransmission is necessary if the application requires recovery of lost
or damaged characters.
Although protocols for recovering from transmission errors are beyond the
scope of this book, we shall briefly describe the role of error detecting and correct-
ing codes in cryptographic systems. Diffie and Hellman [Diff79] observe that if
errors are propagated by the decryption algorithm, applying error detecting codes
before encryption (and after decryptionmsee Figure 3.2) provides a mechanism
for authenticity, because modifications to the ciphertext will be detected by the
_ .
M C ~- M
138 ABFDEFGHIIJKLMMNOHPP
error decoder. Block ciphers and self-synchronous stream ciphers propagate errors,
so this strategy is applicable for both of these modes of operation. Synchronous
stream ciphers, on the other hand, do not propagate errors because each ciphertext
character is independently enciphered and deciphered. If a fixed linear error de-
tecting code is used, then an opponent could modify the ciphertext character and
adjust the parity bits to match the corresponding changes in the message bits. To
protect against this, a keyed or nonlinear error detecting code can be used. Error
correcting codes must be applied after encryption (because of the error propaga-
tion by the decryption algorithm), but can be used with error detecting codes
(applied before encryption) for authentication.
Communication protocols for initiating and terminating connections and
synchronizing key streams are also beyond the scope of this book. It is worth
noting, however, that such protocols must require message acknowledgement to
detect deletion of messages. (For a more detailed description of the cryptography-
communications interface, see [Bran75,Bran78,Feis75,Kent76,Pope79].)
All the stream ciphers discussed in this chapter use a simple exclusive-or
operation for enciphering and deciphering (as in the Vernam cipher). Thus, the
enciphering algorithm is given by:
Ci • Eki(mi) -- m i • ki ,
where each k i, m;, and c; is one bit or character. The deciphering algorithm is the
same:
Dk,(Ci) = ci • k i
= (m i • k i) • ki
= m i .
key key
i stream i stream
mi ,~ ci = ~- m i
message stream encipher ciphertext stream decipher
sender receiver
Even a good pseudo-random number generator is not always suitable for key
generation. Linear Feedback Shift Registers are an example; given a relatively
small amount of plaintext-ciphertext pairs, a cryptanalyst can easily derive the
entire key stream. Because this technique illustrates the possible pitfalls of key
generators, we shall describe it before turning to methods that appear to be much
stronger.
n
r~ = TR = ~ ti ri mod 2 = tl rl • t2 r2 • ... • tn r n •
i=l
Shift Register R
key stream
_ tl
I40 CRYPTOGRAPHIC TECHNIQUES
Thus,
R' = HR mod 2 , (3.1)
where H is the n × n matrix"
t n tn_ 1 i n _ 2 . . , ta t2 tl
1 0 0 000
0 1 0 000
0 0 1 000
n
° ° °
0 0 0 1 00
0 0 0 ... 0 1 0
formed from the elements in the tap sequence plus the constant 1, is primitive. A
primitive polynomial of degree n is an irreducible polynomial that divides x 2"-~ + 1,
but not x d + 1 for any d that divides 2 - - 1. Primitive trinomials of the form
T ( x ) = x n + x a + 1 are particularly appealing, because only two stages of the
feedback register need be tapped. (See [Golu67,Pete72,Zier68,Zier69] for tables
of primitive polynomials.)
Example:
Figure 3.5 illustrates a 4-stage L F S R with tap sequence T = (1, 0, 0, 1) ;
thus there are "taps" on bits r~ and r4. The matrix H is given by
1001
1000
n __
0 1 00
0010
key stream
SYNCHRONOUS STREAM CIPHERS
141
Io
i i
ill i
~n i v
encipher decipher
142 CRYPTOGRAPHIC TECHNIQUES
m i ~ c i = m i ~ ( m i ~ k i) = k i ,
for i = 1. . . . ,2n.
The weakness of LFSRs is caused by the linearity of Eq. (3.1). A better approach
is to use a nonlinear transformation. Nonlinear block ciphers such as the DES
seem to be good candidates for this. Figure 3.7 illustrates an approach called
output-block feedback mode (OFM). The feedback register R is used as input to a
block encryption algorithm E , with key B. During the ith iteration, E B ( R ) is com-
puted, the low-order (rightmost) character of the output block becomes the ith key
character kt, and the entire block is fed back through R to be used as input during
the next iteration. Note that each k~ is one character rather than just a single bit;
this is to reduce the number of encipherments with E , , which will be considerably
more time-consuming than one iteration of a LFSR. A message stream is broken
into characters and enciphered in parallel with key generation as described earlier.
The technique has also been called internal feedback [Camp78] because the feed-
back is internal to the process generating the key stream; by contrast, the self-
synchronous method described in Section 3.3.2 uses a feedback loop derived from
the ciphertext stream. (See [Gait77] for a discussion of using DES in OFM.)
SYNCHRONOUS STREAM CIPHERS 143
ue
mi ~ ci- ~ ~. m i
encipher decipher
R R
[ counter [• -Io ] c°unter ]" Io
discard~k discard/
i ~.k./
mi ' " ~ ' " 'ci" "'~d.J ~ mi
encipher decipher
144 CRYPTOGRAPHIC TECHNIQUES
In Section 2.4.4, we saw that stream ciphers could be broken if the key
stream repeated. For this reason, synchronous stream ciphers have limited applica-
bility to file and database encryption; if an element is inserted into the middle of a
file, the key stream cannot be reused to reencipher the remaining portion of the
file. To see why, suppose an element m' is inserted into the file after the ith
element. We have:
original plaintext: . . . mi mi+l mi+2 ...
key stream: ... k i ki+ 1 ki+ z ...
original ciphertext: . . . ci ci+ 1 ci+2 . . .
updated plaintext: . • .
m im' mi+l ...
key stream: ... ki ki+ 1 ki+ z ...
updated ciphertext:.., ci c~'+~ c[+2 ...
Bayer and Metzger [Baye76] show that if m' is known, then all key elements kj
and plaintext elements mj (j > i) can be determined from the original and updated
ciphertext:
Note that a cryptanalyst does not need to know the position in the file where the
insertion is made; this can be determined by comparing the original and, updated
versions of the file.
Synchronous stream ciphers protect against ciphertext searching, because
identical blocks of characters in the message stream are enciphered under a differ-
ent part of the key stream. They also protect against injection of false ciphertext,
replay, and ciphertext deletion, because insertions or deletions in the ciphertext
stream cause loss of synchronization.
Synchronous stream ciphers have the advantage of not propagating errors; a
transmission error affecting one character will not affect subsequent characters.
But this is also a disadvantage in that it is easier for an opponent to modify
(without detection) a single ciphertext character than a block of characters. As
noted earlier, a keyed or nonlinear error detecting code helps protect against this.
A self-synchronous stream cipher derives each key character from a fixed number
n of preceding ciphertext characters [Sava67]. The genesis of this idea goes back
to the second of two autokey ciphers invented by Vigen~re in the 16th Century
[Kahn67]. We shall first describe Vigen6re's schemes, and then describe a method
suited for modern cryptographic systems.
SELF-SYNCHRONOUS STREAM CIPHERS 145
An autokey cipher is one in which the key is derived from the message it enciphers.
In Vigen~re's first cipher, the key is formed by appending the plaintext M = rnim2
. . . to a "priming key" character kl; the ith key character (i > 1) is thus given by
k i = m i _ 1.
Example:
Given the priming key D, the plaintext RENAISSANCE is enciphered as
follows, using a shifted substitution cipher (Vigen~re actually used other
substitutions)"
M = RENAISSANCE
K = DRENA I S SANC
EK(M) = U V R N I A K S N P G . Ii
Example:
Here the plaintext RENAISSANCE is enciphered with the priming key D
as follows:
M = RENAISSANCE
K =DUYLLTLDDQS
EK(M) = U Y L L T L D D Q S W . Ii
Vigen~re's system is weak because it exposes the key in the ciphertext stream. This
problem is easily remedied by passing the ciphertext characters through a nonlin-
ear block cipher to derive the key characters. The technique is called cipher feed-
146 CRYPTOGRAPHIC TECHNIQUES
shift r e g i s t e r R shift r e g i s t e r R
/0
ci
discard
i ~ mi
back mode (CFB) because the ciphertext characters participate in the feedback
loop. It is sometimes called "chaining", because each ciphertext character is func-
tionally dependent on (chained to) preceding ciphertext characters. This mode has
been approved by the National Bureau of Standards for use with DES [GSA77].
Figure 3.9 illustrates. The feedback register R is a shift register, where each
ciphertext character c~ is shifted into one end of R immediately after being gener-
ated (the character at the other end is simply discarded). As before, R is initialized
to the seed I0. During each iteration, the value of R is used as input to a block
encryption algorithm E B, and the low-order character of the output block becomes
the next key character.
With CFB, transmission errors affect the feedback loop. If a ciphertext char-
acter is altered (or lost) during transmission, the receiver's shift register will differ
from the transmitter's, and subsequent ciphertext will not be correctly deciphered
until the erroneous character has shifted out of the register. Because the registers
are synchronized after n cycles (where n is the number of characters per block), an
error affects at most n characters; after that, the ciphertext is correct (see Figure
3.1).
CFB is comparable to the counter method in its ability to access data in
random access files. To decipher the ith ciphertext character c~, it suffices to load
the feedback register with the n preceding ciphertext characters q._~, . . . , c~_x, and
execute one cycle of the feedback loop to get k i.
With CFB, it is possible to make an insertion or deletion in a file without
reenciphering the entire file. It is, however, necessary to reencipher all characters
after the place of insertion or deletion, or the following block of characters will not
be decipherable. Reencipherment can be confined to a single record in a file by
reinitializing the feedback loop for each record. Although this exposes identical
BLOCK CIPHERS 147
records, identical records can be concealed by prefixing each record with a random
block of characters, which is discarded when the record is deciphered for process-
ing. Note that cipher feedback is not vulnerable to the insertion/deletion attack
described for synchronous ciphers. This is because the key stream is automatically
changed by any change in the message stream.
Self-synchronous ciphers protect against ciphertext searching because differ-
ent parts of the message stream are enciphered under different parts of the key
stream. They also protect against all types of authenticity threats because any
change to the ciphertext affects the key stream. Indeed, the last block of ciphertext
is functionally dependent on the entire message, serving as a checksum for the
entire message.
A checksum refers to any fixed length block functionally dependent on every
bit of the message, so that different messages have different checksums with high
probability. Checksums are frequently appended to the end of messages for au-
thentication. The method of computing the checksum should ensure that two mes-
sages differing by one or more bits produce the same checksum with probability
only 2-", where n is the length of the checksum. CFB can be used to compute
checksums for plaintext data when authenticity is required in the absence of secre-
cy. Although a checksum does not usually provide the same level of security as
encrypting the entire message, it is adequate for many applications.
We have seen how a block encryption algorithm E can be used to generate a key
stream in either synchronous or self-synchronous mode. This raises an obvious
question: Is it better to use a block encryption algorithm for block encryption, or to
use it for stream encryption? Although the answer to this question depends on the
requirements of the particular application, we can make some general observations
about the efficiency and security of the different approaches.
Using block encryption directly is somewhat faster than either stream mode,
because there will be only one execution of the encryption algorithm per n charac-
ters rather than n executions. This may not be an important factor, however, when
the algorithm is implemented in special-purpose hardware capable of encrypting
several million bits per second (as for some DES implementations). Such data
rates are well beyond the capabilities of slow-speed telecommunications lines. Fur-
thermore, block encryption is not inherently faster than stream encryption; stream
encryption can be speeded up by using a faster generator, and, for applications
requiring high speed, a key stream can be generated in advance with synchronous
stream encryption (see [Brig80]).
With block encryption, transmission errors in one ciphertext block have no
affect on other blocks. This is comparable to cipher feedback mode, where a
transmission error in one ciphertext character affects only the next n characters,
which is equivalent to one block.
Block encryption may be more susceptible to cryptanalysis than either
stream mode. Because identical blocks of plaintext yield identical blocks of cipher-
i
148 CRYPTOGRAPHIC TECHNIQUES
text, blocks of blanks or keywords, for example, may be identifiable for use in a
known-plaintext attack. This is not a problem with stream encryption because
repetitions in the plaintext are enciphered under different parts of the key stream.
With block encryption, short blocks at the end of a message must also be padded
with blanks or zeros, which may make them vulnerable to cryptanalysis.
In database systems, enciphering each field of a record as a separate block is
not usually satisfactory. If the fields are short, padding increases the storage re-
quirements of the database, and may leave the data vulnerable to cryptanalysis.
Enciphering the fields with an algorithm that operates on short blocks does not
solve the problem, because the algorithm will be weaker.
Even if the fields are full size and cryptanalysis impossible, information can
be vulnerable to ciphertext searching. Consider a database containing personnel
records. Suppose the Salary field of each record is enciphered as a single block,
and that all salaries are enciphered under the same key. The Name fields are in
the clear, so that a particular individual's record can be identified. A user can
determine which employees earn salaries equal to Smith's by searching for those
records with ciphertext Salary fields identical to Smith's. This problem demon-
strates the need to protect nonconfidential information as well as confidential
information, and the possible pitfalls of enciphering database records by fields,
especially when multiple records are enciphered under one key.
Block encryption is more susceptible to replay than stream encryption. If
each block is independently enciphered with the same key, one block can be re-
played for another. Figure 3.10 shows how a transaction " C R E D I T S M I T H $10"
can be changed to " C R E D I T S M I T H $5000" by replaying a block containing the
ciphertext for $5000 (see [Camp78]). This type of replay is not possible with a
stream cipher (assuming the key stream is not repeated). One simple solution is to
append checksums to the end of messages.
Replay can also be a problem in databases. Consider again the database of
employee records, where each record contains a Salary field enciphered as a sepa-
rate block, and all salaries are enciphered under one key. Suppose a user can
Before Replay
After Replay
CREDIT JONES $ 5000 CREDIT SMITH $ 5000
BLOCK CIPHERS 149
identify the records in the database belonging to Smith and to Jones, and that
Jones's salary is known to be higher than Smith's. By copying Jones's enciphered
Salary field into Smith's record, Smith's salary is effectively increased. The
change will not be detected. Adding a checksum to each record can thwart this
type of attack, but cannot protect against attacks based on ciphertext searching as
described earlier.
Block encryption is also vulnerable to insertion and deletion of blocks, be-
cause these changes to the message stream do not affect surrounding blocks. Al-
though it may be difficult to create false ciphertext for textual data, it may not be
for numeric data. If, for example, the objective is simply to make the balance in an
account nonzero, any positive integer will do. As noted earlier, applying error
detecting codes before encryption protects against this threat. Checksums can also
be added.
A database system with secure access controls can prevent unauthorized
users from searching or modifying ciphertext (or plaintext) as described in these
examples. Access controls are not always foolproof, however, and cannot generally
prevent users from browsing through data on removable storage devices such as
tapes and disks, or from tapping communications channels.
The following subsections describe two strategies for making block encryp-
tion more resistant to attack.
Feistel [Feis73] showed that block ciphers could be made more resistant to crypt-
analysis and ciphertext substitution (including replay) using a technique called
block chaining. Before enciphering each plaintext block M i, some of the bits of the
previous ciphertext block Ci are inserted into unused bit positions of Mi, thereby
chaining the blocks together. Kent [Kent76] proposed a similar approach using
sequence numbers. Both strategies protect against insertions, deletions, and modi-
Io
Mi Mi
Ci Ci
D~
~ C i
150 CRYPTOGRAPHIC TECHNIQUES
fications in the message stream in much the same way as a stream cipher in cipher
feedback mode. But, unlike cipher feedback mode, they reduce the number of
available message bits per block.
This is remedied by an approach called cipher block chaining (CBC), which
has been suggested for use with the DES [GSA77]. CBC is similar to cipher
feedback (CFB), except that an entire block of ciphertext is fed back through a
register to be exclusive-ored with the next plaintext block. The result is then
passed through a block cipher E K with key K (see Figure 3.11). The ith plaintext
block M; is thus enciphered as
C i = EK(M i • Ci_~),
Because each ciphertext block Ci is computed from M i and the preceding cipher-
text block Ci_ 1, one transmission error affects at most two blocks. At the same
time, each Ci is functionally dependent on all preceding ciphertext blocks, so the
statistical properties of the plaintext are diffused across the entire ciphertext,
making cryptanalysis more difficult. Like cipher feedback mode, the last block
serves as a checksum, so the method can also be used to compute checksums for
messages encrypted under another scheme or stored as plaintext.
CBC is similar to CFB in its resistance to all forms of attack (including
ciphertext searching, replay, insertion, and deletion). It is more efficient than CFB
in that it uses a single execution of the block encryption algorithm for each mes-
sage block. It also protects a block cipher against the time-memory tradeoff attack
described in Section 2.6.3. To see why, let Ci be the ciphertext corresponding to the
chosen plaintext Mo. Since O K ( C i) - M o • C~_1, to determine K a cryptanalyst
would have to generate the tables of starting and ending points using M0 • Ci_l
rather than M0. But this would rule out the possibility of precomputing the tables
or of using the same tables to break more than one cipher.
CBC is used in the Information Protection System (IPS), a set of crypto-
graphic application programs designed by IBM [Konh80]. The algorithms E and
D are implemented with DES. The IPS facilities allow users to encrypt and de-
crypt entire files, and to call the encryption functions from their programs. Chain-
ing may be applied either to a single record (called block chaining in IPS) or to a
collection of records (called record chaining). Under block chaining, the feedback
register is reset to I0 at the beginning of each record, while under record chaining,
it retains its value across record boundaries. Record chaining has the advantage of
concealing identical lines in a file. Block chaining may be preferable for direct
access files and databases, however, because records can be accessed directly with-
out deciphering all preceding records, and records can be inserted and deleted
without reenciphering the remaining records. Identical records can be concealed
by prefixing each i'ecord with a random block of characters, as described earlier
for cipher feedback.
The chaining procedure is slightly modified to deal with short blocks. To
ABFDEFGHIIJKLMMNOHPP 151
encipher a trailing short block M t of j bits, the preceding ciphertext block Ct_ 1 is
reenciphered, and the first j bits exclusix~e-ored with Mr; thus C t = M t ~ EK(Ct_i).
Because Ct_ 1 depends on all preceding blocks of the record, the trailing short
ciphertext block is as secure as the preceding full ones.
With block chaining, there is a problem securing short records, because there
is no feedback from the previous record. To encipher a single short record M~ of j
bits, it is exclusive-ored with the first j bits of I0; thus, C1 = M1 • I0. Although this
is not strong, it does superficially conceal the plaintext.
Cipher block chaining is somewhat less efficient for databases than direct
block encryption because changing a field requires reenciphering all succeeding
fields. Nevertheless, the added protection may offset the performance penalties for
many applications. Moreover, if an entire record is fetched during retrieval any-
way, encryption and decryption need not degrade performance if implemented in
hardware.
Davida, Wells, and Kam [Davi79] introduced a new type of block cipher suitable
for databases. A database is modeled as a set of records, each with t fields. Each
record is enciphered as a unit, so that all fields are diffused over the ciphertext.
The individual fields can be separately deciphered, though doing so requires access
to an entire ciphertext record. Like cipher block chaining, the scheme protects
against all types of attack.
Access to a particular field requires a special subkey for the field. There are
separate read subkeys d~, . . . , d t for deciphering each field, and separate write
subkeys e~, . . . . e t for enciphering each field. The subkeys are global to the data-
base; that is, all records are enciphered with the same subkeys. Each user is given
subkeys only for the fields that user is allowed to read or write.
We shall first describe a simplified, but insecure, version of the scheme, and
then discuss the modifications needed for security. The scheme is based on the
Chinese Remainder Theorem (see Theorem 1.8 in Section 1.6.2). To construct
subkeys, each read subkey dj is chosen to be a random prime number larger than
the maximum possible value for field j. Letting n = did2 . . . dr, the write subkeys
are as follows:
ej = , (3.3)
t
C-- ~ ejmj mod n . (3.4)
j=l
! i
152 CRYPTOGRAPHIC TECHNIQUES
record m1 e • • m/ • • • n
V 1
encipher
ciphertext
record ! C , J
decipher
lai te
field m/
Example:
L e t t = 3, dl = 7, dz = l l , a n d d 3 = 5. T h e n n = 7, 11 • 5 = 385 and
Yl = inv(385/7, 7) = inv(55, 7) = 6
Yz = i n v ( 3 8 5 / l l , 11) = inv(35,11) = 6
y~ = inv(385/5, 5) = inv(77, 5) = 3 .
The write subkeys are thus:
BLOCK CIPHERS 153
e~ = 55 * 6 = 330
e~ = 35 * 6 = 210
e8=77"3=231 .
Let M be the plaintext record M = (4, 10, 2). Using Eq. (3.4), M is enci-
phered with the write subkeys as
Using Eq. (3.5), the fields of M are deciphered with the read subkeys as
follows"
m l = C mod dx = 32 mod 7 = 4
m 2 = C m o d d 2 = 3 2 m o d 11 = 10
m3 = C m o d d 3 = 3 2 m o d 5 = 2 .
Using Eq. (3.6), the contents of the second field can be changed from 10 to 8
as follows:
C' = [C - ez(C mod d2) + ez * 8] mod n
= [32 - 210 * 10 + 210 • 8] mod 385
= - 3 8 8 mod 385 = - 3 mod 385
= 382 .
The reader should verify that all three fields are still retrievable. II
There are two weaknesses with the scheme as described thus far. The first lies in
the method of enciphering as defined by Eq. (3.4). Let mij denote the value of the
jth field in record i. A user knowing the plaintext values mlj and m2j for two
records M1 and M2 can determine the read key dj from the ciphertext C1 and C2.
Observe that Eq. (3.5) implies
C1 - - m V = uldj
C2 - m2j ~ u2dj
for some ul and u2. Thus, dj can be determined with high probability by computing
the greatest common divisor of (C, - re,j) and (C2 - m2j). The solution is to
append a random 32-bit (or longer) value xj to each mj before enciphering with Eq.
(3.4).
The second weakness is that the method of updating fields individually, as
defined by Eq. (3.6), can expose the read keys (see exercises at end of chapter).
The solution here is to reencipher the entire record, using new random values xj for
all fields.
Because both the read and write subkeys are required to write a field, user A
automatically has read access to any field that A can write. This is consistent with
most access control policies. But to write a single field, A must also have access to
n; this gives A the ability to compute the write subkey for any field for which A has
154 CRYPTOGRAPHIC TECHNIQUES
the read subkey. This is not consistent with most access control policies. To pre-
vent this, n must be hidden in the programs that access the database. To read field
j, A would invoke a read procedure, passing as parameter the read subkey dj; to
write the field, A would invoke a write procedure, passing as parameters dj, ~, and
the new value mj.
The write subkey ej for field j is computed from n and the read subkey dj.
Therefore, any group of users with access to all the read subkeys can compute n
and determine all the write subkeys. To prevent collusion, dummy fields are added
to each record. The read and write subkeys for these fields are not given to any
user.
Data protected with encryption may be transmitted over several links before it
arrives at its final destination. For example, data may be input from a user's
terminal to the user's program, where it is processed and then transmitted to a disk
file for storage. Later, the user may retrieve the data and have it displayed on the
terminal. In computer networks, data may be transmitted from one location on the
network to another for processing or for storage. In the discussion that follows, we
use the terminology node for any location (computer, terminal, front-end, or pro-
gram) where data may be input, stored, encrypted, processed, routed (switched),
or output; and link for any communication line or data bus between two nodes.
There are many possible choices of endpoints for the encryption. At one extreme,
link eneryption enciphers and deciphers a message M at each node between the
source node 0 and the destination node n [Bara64]. The message is processed as
plaintext at the ith node, and transmitted as ciphertext Ei(M ) over the ith link (see
Figure 3.13). Each link i has its own pair of transformations E i and Di, and differ-
ent encryption algorithms and message formats may be used on the different links.
This strategy is generally used with physical (hard-wired) connections. At the
other extreme, end-to-end eneryption enciphers and deciphers a message at the
source and destination only (see Figure 3.14).
There are advantages and disadvantages to both extremes. With link encryp-
' " M M
E3 (M). . . . . En (M)M ~ ]
link l L ~ link 2 ~ link 3 link 1 l ~ ]
node 0 node 1 node 2 node n
ENDPOINTS OF ENCRYPTION 155
tion users need only one key for communicating with their local systems. With
end-to-end encryption, users need separate keys for communicating with each
correspondent. In addition, protocols are needed whereby users (or nodes) can
exchange keys to establish a secure connection (see Section 3.7).
End-to-end encryption provides a higher level of data security because the
data is not deciphered until it reaches its final destination. With link encryption,
the data may be exposed to secrecy and authenticity threats when it is in plaintext
at the intermediate nodes. Thus, end-to-end encryption is preferable for electronic
mail and applications such as electronic-funds transfer requiring a high level of
security.
End-to-end encryption, however, is more susceptible to attacks of traffic flow
analysis. With link encryption, the final destination addresses of messages can be
transmitted as ciphertext along each link. This is not possible with end-to-end
encryption, because the intermediate nodes need the addresses for routing (unless
there is a single physical connection). The addresses could be used, for example, to
learn whether an important business transaction was taking place.
For applications requiring high security, the two approaches can be com-
bined. Figure 3.15 shows how an end-to-end cryptographic system can be inter-
faced with a communications system using link encryption to encipher addresses.
The cryptographic system is on the outside, enciphering messages before they are
processed by the communications system, and deciphering messages after they
have been processed by the communications system. Each "packet" sent over a
link has a header field and a data field. The header field contains the final destina-
tion of the message, enciphered using the key for the link, plus other control
information used by the communications system. If the channel is used for more
than one connection (as in a ring network), the header must also contain the
immediate source and destination addresses in plaintext (the source address is
needed so the receiver will know which key to use to decipher the final destination
address).
Because a packet arriving at a device contains both plaintext and ciphertext,
the device must be capable of operating in two modes: normal (plaintext) mode in
which arriving control characters are interpreted by the device, and a "transpar-
ent" (ciphertext) mode in which arriving characters are not interpreted [Feis75].
With this feature, messages can also be exchanged in either plaintext or
ciphertext.
Enciphering the final destinations of messages along the way does not ob-
scure activity on a particular channel. The only solution here is to pad the channel
with dummy traffic to make it appear constantly busy.
156 CRYPTOGRAPHIC TECHNIQUES
I !
link 1 I
/
Communications Node forwardsE K (M) J
system
A sends E K (M) to B
f
f M
( m m m
~ e o e
~][En aphic
link n [ system
u = gs(A)
is A's untraceable return address. Because A's address is enciphered with S's
public key, B cannot decipher it. B can, however, send a reply M' to A through S:
ENDPOINTS OF ENCRYPTION 157
To process data at a node in the system, it is usually necessary to decipher the data
first, and then reencipher it after it has been processed. Consequently, it may be
exposed to secrecy or authenticity threats while it is being processed. There are
two possible safeguards. The first is to encapsulate the computation in a physically
secure area. The second is to process the data in its encrypted state.
Rivest, Adleman, and Dertouzos [Rive78a] describe how the latter might be
accomplished with a privacy hornomorphism. The basic idea is that encrypted data,
after processing, should be the same as if the data were first deciphered, processed
in plaintext, and finally reenciphered. Suppose the plaintext data is drawn from an
algebraic system consisting of
Similarly, suppose the ciphertext is drawn from an algebraic system with corre-
sponding data elements a', b', operations f', predicates p', and distinguished con-
stants s'. Let E g be the enciphering transformation, and let Dg be the
corresponding deciphering transformation. Then DK is a homomorphism from the
ciphertext system to the plaintext system if and only if for all cipher elements a', b'
the following hold:
a, b, • • • a', b', • • •
plaintext encrypted
result result
Example:
Consider an exponentiation cipher (see Section 2.7) with enciphering
transformation
EK(a) = ae mod n,
and corresponding deciphering transformation
DK(a') = (a')d mod n,
where ed mod 4~(n) = 1. Then DK is a homomorphism from a ciphertext
system consisting of the integers modulo n, with multiplication and test for
equality, to an identical plaintext system. Given elements
a' = a e mod n, and
b' = b e mod n,
we have
a" • b' = (a e mod n) • (b e rood n) mod n
= (a * b) e mod n
Theorem 3. !:
It is not possible to have a secure enciphering function for an algebraic
system that includes the ordering predicate " . ~ " when the encrypted version
of the distinguished constants can be determined.
Proof:
Consider the plaintext system over the natural numbers with +, ~ ,
and the constants 0 and 1. Let +', _<', 0', and 1' denote the correspond-
ing operators and elements in the ciphertext system. Given ciphertext
element i', it is possible to determine the corresponding plaintext ele-
ment i without computing Dg(i') using a simple binary search strategy.
First, determine 1' (by assumption this is possible). Next, compute
2' = 1' +' 1'
4' = 2' +' 2'
8' = 4' +' 4'
execute
execute
'! output
tailor the code to their needs and make corrections. The problem is that a custom-
er may illegally sell or give away copies of the program. If the copies have been
modified (e.g., by changing the names of variables and rearranging code), it can
be difficult to prove an agreement was breached. Indeed, the vendor might not
even be aware of the illegal distribution.
One solution is to transform ("encipher") a source program in such a way
that the transformed program executes the same as the original but is more diffi-
cult to copy [DeMi78]. Let P ' be the transformed version of a program P. The
transformation should satisfy the following properties:
, P ' should have the same output as P for all valid inputs.
2. P ' should have approximately the same performance characteristics as P.
3. P ' should have distinguishing features that are difficult to conceal in copies.
Property (1) is similar to the first property of a privacy homomorphism, where the
elements a and b are programs and the function f corresponds to program execu-
tion (see Figure 3.17); instead of processing data in an encrypted state, we now
execute programs in an encrypted state.
One method is to pad a program with code that does not affect the output (at
least on valid inputs). Map makers employ a similar technique, introducing minor
errors that do not seriously impair navigation, but make copies easily discernible.
A second method is to transform the code or constants of the program to obscure
the algorithm. A third method is to transform the program so that it will not run
on other systems. This could be done by hiding in the code information about the
customer; this information would be checked when the program runs. None of
these transformations need be cryptographically strong; the objective is only to
make it more costly to change a program than to develop it from scratch or obtain
it from the vendor.
It is easier to protect proprietary software when the source is not distributed.
In a sense, program compilation is a form of encipherment, because the algorithm
is obscured in the object code. Object code can be decompiled, however, so the
ONE-WAY CIPHERS 161
f(x) = ( x n 4- an_l xn-1 " [ - " " "Jr a , x -1- ao) mod p ,
where p is a large prime and n is also large. Because a polynomial of degree n has
at most n roots, there can be at most n messages enciphering to the same cipher-
text. The time to invert f (i.e., find its roots) is O(n2(log p)2); for n ~ 22` and
p ~ 2~4, this will exceed 1016 operations. (See [Evan74] for other methods of
implementing one-way ciphers.)
Note that a one-way cipher cannot be implemented using a stream cipher
with keystream M and plaintext stream M0. We would have C = M0 • M, whence
M is easily computed by M = C ~ M0.
Password files are protected with one-way ciphers using a scheme developed by
Needham [Wilk75]. Rather than storing users' passwords in the clear, they are
162 CRYPTOGRAPHIC TECHNIQUES
Key File
®A A I key
B] key
0 EA (T)
Password File
Q E A (T,P)
A I j(pi
System S
where T is the current date and time, and E A is the enciphering transforma-
tion derived from A's private key.
. A deciphers X to get T, and checks that T is current. If it is, A replies to S by
sending
Y = E A ( T , P)
The protocol is easily modified for a public-key system. In Step 2, the system
S uses its private transformation Ds (for sender authenticity) to create X = D s ( T ) ,
which A can validate using S's public transformation E s. In Step 3, A uses the
system's public enciphering transformation (for secrecy) to create Y = E s ( T , P).
Only S can decipher Y to obtain A's password and complete the login. Note that
A's private transformation (i.e., digital signature) can be used for authentication
instead of A's password; in this case, the protocol becomes:
164 ABFDEFGHIIJKLMMNOHPP
where T is the current date and time, and D s is S's private transformation.
3. A computes E s ( X ) = T using S's public transformation, and checks that T is
current. If it is, A replies to S by sending
Y = DA(T),
where DA is A's private transformation.
4. The system validates Y using A's public transformation E A. If it is valid, the
login completes successfully.
One possible weakness with the digital signature protocol is that users can be
impersonated if their private keys are stolen. The password protocol has the advan-
tage that memorized passwords are less susceptible to theft than physical keys--
provided users do not write them down. The digital signature protocol can be
enhanced by combining it with passwords or with a mechanism that uses personal
characteristics (e.g., a handprint) for identification. If passwords are used, then A
sends to S
DA(T), Es(T, P)
in Step 3 of the protocol.
We first consider the management of keys that are used by a single user (or
process) to protect data stored in files. The simplest approach is to avoid storing
cryptographic keys in the system. In IPS [Konh80], for example, keys do not
reside permanently in the system. Users are responsible for managing their own
keys and entering them at the time of encipherment or decipherment.
IPS offers users two formats for entering the 56-bit keys needed for DES.
The first format is the direct entry of an 8-byte key (56 key bits plus 8 parity bits).
KEY MANAGEMENT 165
This format should be used only if the 56 key bits are randomly selected; a key
formed from English letters only (or even letters and digits) is too easy to find by
exhaustive search. Because it is easier for users to remember meaningful strings,
IPS provides a second format whereby a key can be entered as a long character
string. The string is reduced to a 56-bit key by enciphering it with DES using
cipher block chaining, and keeping the rightmost 56 bits (i.e., the checksum). The
process is called "key crunching".
Keys could also be recorded in Read Only Memory (ROM) or on magnetic
stripe cards [Feis75,Flyn78,Denn79]. The hardware-implemented key could then
be entered simply by inserting it into a special reader attached to the user's
terminal.
In conventional systems, users may register private keys with the system to
establish a secure channel between their terminals and the central computer (mas-
ter terminal keys are used in some systems for this purpose). These keys must be
protected, and the simplest strategy is to store them in a file enciphered under a
system master key. Unlike passwords, encryption keys cannot be protected with
one-way functions, because it would then be impossible to recover them.
In public-key systems, a user A need not register a private transformation DA
with the system to establish a secure channel. This does not mean DA requires no
security. If it is used for signatures, it must be protected from disclosure to prevent
forgery. Indeed, it must be protected from deliberate disclosure by A. If A can give
away DA--Or even just claim to have lost Dz--then A has a case for disavowing
any message (see [Salt78,Lipt78]). To prevent this, Merkle [Merk80] suggests
that A's signature key should not be known to anyone, including A. A single copy
of Dh would be kept in a dedicated microcomputer or sealed in a ROM.
Even if DA is given a high level of protection, some mechanism is needed to
handle the case where DA is compromised. This case can be handled as for lost or
stolen credit cards: liability would be limited once the loss or theft is reported to
the system. A signature manager S would keep a record of A's past and present
public transformations E A, and the times during which these transformations were
valid. To determine whether a message was signed before the loss, messages could
be timestamped. A cannot affix the timestamp, however, because A could know-
ingly affix an incorrect time, and if D A is compromised, someone else could forge a
message and affix a time when DA was valid. The solution is for S to affix the
current time T to a message signed by A, and then add its own signature Ds,
thereby playing the role of a notary public [Pope79,Merk80]. A message M would
thus be doubly signed as follows:
C = D s ( D A ( M ), T) .
Another user receiving C can check (with S) that A's corresponding public trans-
formation E A was valid at time T before accepting C.
A similar strategy can be used to protect a signature transformation DA in a
conventional system. But because the corresponding enciphering transformations
E A and E s are secret, the receiver of a signed message C = D s ( D A ( M ), T ) cannot
validate the signature (see Section 1.3.3).
166 CRYPTOGRAPHIC TECHNIQUES
Keys record
The keys that unlock a database require special protection. If the database is
shared by many users, it is usually better to store the keys in the system under the
protection of a key manager than to distribute the keys directly to the users, where
they would be vulnerable to loss or compromise. More importantly, it relieves the
users of the burden of key management, providing "cryptographic transparency".
Database keys could be enciphered under a database master key and stored either
in the database or in a separate file.
Gudes [Gude80] has proposed a scheme for protecting file encrypting keys
that can be integrated with the access control policies of a system. Let K be the
encryption key for a file F. For every user A allowed access to F, the system
computes
x = EA(K),
using A's private transformation EA, and stores X in a keys record at the beginning
of the encrypted file (see Figure 3.19). When A requests access to F, the system
finds A's entry X in the keys record, and computes DA(X) = DA(EA(K)) = K; the
file is then deciphered using the recovered key. An additional level of protection
against unauthorized updates is provided by storing f ( K ) in a validation record of
the file, where f is a one-way function. A user is not allowed to update the file
unless f(DA(X)) matches the value in the authentication field. If the file is enci-
phered using a two-key system, with separate read and write keys as described in
Section 1.2 (see Figure 1.8), users can be given read access without write access to
the file. One drawback with the scheme is that if a user's access rights to a file are
revoked, the file must be reenciphered under a new key, and the keys record and
validation record recomputed.
Ehrsam, Matyas, Meyer, and Tuchman [Ehrs78,Maty78] describe a com-
plete key management scheme for communication and file security. They assume
that each host system has a master key KMO with two variants, KM1 and KM2.
The variants can be some simple function of KMO. The master keys are used to
encipher other encryption keys and to generate new encryption keys. Each termi-
nal also has a master terminal key KMT, which provides a secure channel between
the terminal and the host system for key exchange. The system stores its copies of
KEY MANAGEMENT 167
these keys in a file enciphered under KM1. Other key encrypting keys, such as file
master keys (called secondary file keys), are stored in files enciphered under KM2.
The master key KMO is stored in the nonvolatile storage of a special crypto-
graphic facility or security module. (KM1 and KM2 are computed from KMO as
needed.) The facility is secured so that users cannot access the master key or its
derivatives. Data encrypting keys are stored and passed to the cryptographic facili-
ty as ciphertext to protect them from exposure.
Special operations are provided by the cryptographic facilities in the host
systems and terminals. The following operations are used by the key management
scheme in a host:
1. Set master key (sink). A master key KMO is installed with the operation
smk(KMO) . (3.7)
Clearly, this operation requires special protection.
5 Encipher under master key (emk). A key K is protected by encrypting it
under KMO with the operation
emk(K) = EKMo(K ) . (3.8)
Encipher (ecph). To encipher a message M using key K, K is passed to the
cryptographic facility enciphered under KMO. Letting X = EKMo(K ) be the
enciphered key, M is enciphered with the operation
ecph(X, M ) = EK(M ) , (3.9)
where K = DKMO(X) (see Figure 3.20). This instruction allows keys to be
stored and passed to the cryptographic facility as ciphertext.
, Decipher (dcph). Similarly, a ciphertext message C is deciphered using a key
K with the operation
dcph(X, C) = DK(C ) , (3.10)
where K = DKMo(X) (see Figure 3.21).
, Reencipher from master key (rfmk). A terminal master key K M T is stored
under KM1 encipherment as W = EKe 1(KMT). The reencipher from master
key operation allows the key manager to take a key K enciphered under
KMO as X = EKMo(K) and put it under K M T encipherment:
X = EKMO
EK(M~
168 CRYPTOGRAPHIC TECHNIQUES
X=EKMo (K)
I
~(c)
W = EKM1( K M T ) ~
KMT
X = EKMo(K) EKMT(K )
KEY MANAGEMENT 169
The master key KMT for a terminal is stored in the cryptographic facility of
the terminal. The following operations are provided by the facility:
Decipher from master key (dmk). This operation takes a key K transmitted
to the terminal under KMT encipherment as EKMT(K), deciphers it, and
stores it in a special working register of the facility. K remains in the working
register until it is changed or the terminal is turned off.
Encipher (ecph). This operation enciphers data using the key stored in the
working register. The encrypted data is transmitted to its destination, provid-
ing end-to-end encryption.
. Decipher (dcph). This operation deciphers data using the key stored in the
working register.
Public keys can be distributed either outside the system or from a public-key
directory within the system. In the former case, they could be recorded on some
digital medium such as a magnetic stripe card, which can be inserted into a special
reader attached to a user's terminal. Users would exchange public keys by giving
out copies of their cards.
In the latter case, they could be stored in a file managed by a system direc-
tory manager S. It is unnecessary to safeguard the keys from exposure, because
their secrecy is not required for secure communication or digital signatures. But it
is essential to maintain their integrity so they can be used to transmit messages in
secrecy and validate digital signatures. If S (or an imposter) supplies a valid but
incorrect public key, a user could unknowingly encipher confidential data that
170 CRYPTOGRAPHIC TECHNIQUES
//
KEY MANAGEMENT 171
H (1, 8)
H(1,4)
/
H(1, 2) H(5, 6) H(7, 8)
!
K2 K3 K4 K5 K6 K7 K8
~u z
R i = Ex(Ki).
Thus, K~ can be generated without ever being exposed in plaintext. For example, if
K is to be used to encipher data stored in a system file, R t would be defined as
e i = EKNF(Ki) ,
/?
///
KEY MANAGEMENT 17 3
when they are needed. This cannot be done using the preceding methods, because
the keys are a function of the current state of the system. Bayer and Metzger
[Baye76] describe an encipherment scheme for paged file and database structures
(including indexed structures) where each page is enciphered under a different
page key. The key K for a page P is derived from a file key K F by K = EKE(P ).
Keys for other objects could be generated by similar means. In capability-based
systems (see Chapter 4), each object is identified by a unique name; this name
could be used to derive the encryption key for the object. By encrypting each
object under a separate key, exposure of a key endangers only one object.
Each record of a database could be enciphered under a different key using a
scheme suggested by Flynn and Campasano [Flyn78]. A record key would be a
function of a database key and selected plaintext data stored in the record (or
supplied by the user), and would be generated at the time the record is accessed.
Enciphering each record under a separate key would protect against ciphertext
searching and replay as described in Section 3.4. A user authorized to access the
encrypted fields of the records either would use a special terminal equipped with
the database key, or would be given a copy of the key sealed in a ROM, which
could be inserted into any terminal. The scheme could also be used to encipher
each field of a record under a separate key, though encrypting the fields of a
record separately can introduce security problems as described earlier.
Keys shared by groups of users in a computer network can be generated from
information about the group members. Let G be a group of users in a network of N
users. Members of G can share a secret group key K~:~, which allows them to
broadcast and receive messages from other members of G, and to access and
update files private to G. Users not in G are not allowed access to Ka. There can be
at most 2N - N - 1 groups of two or more users in the system. Denning and
Schneider [Denn81a] and Denning, Meijer, and Schneider [Denn81b] describe
schemes for deriving all possible group keys from a list of N user values; thus, the
schemes generate an exponential number of keys from a linear number of values.
One simple method computes the key Kc for a group G of m users from
where K 1 , . . . , K m are the user's private keys. A user not in G cannot determine K c
or any of the K i of the members in G without computing a discrete logarithm. In
Section 2.7.1, we saw this was infeasible when p was 200 decimal digits long. If a
key shorter than 200 digits is needed, Ka can be compressed by enciphering it with
a stream cipher in cipher feedback mode or with cipher block chaining, and keep-
ing the rightmost bits.
© 8) private
key file
A key
B key
i
@ EB (A, K, T)
tion facility is required), or else the users must find an independent but secure
method for exchanging the key by themselves. We shall show how each of these
approaches may be implemented.
We shall first describe a protocol for obtaining session keys from a central-
ized key distribution facility, sometimes called an "authentication server", S. The
protocol is based on one introduced by Needham and Schroeder [Need78] and
modified by Denning and Sacco [Denn81c]. We assume each user has a private
key, registered with S. If two users wish to communicate, one of them obtains a
session key K from S and distributes it to the other. A new key is obtained for each
session, so that neither the users nor S need keep lists of session keys. Although S
could keep a list of session keys for all possible pairs of users, the storage require-
ments would be enormous [for n users there are ( 2 ) possible pairs], and the keys
might be vulnerable to attack. The key distribution facility could be distributed
over the network.
User A acquires a key K from S to share with another user B by initiating
the following steps (also refer to Figure 3.26):
EK(I' ) .
This confirms receipt of I and the use of K.
With the handshake, A can begin transmitting data to B at Step 5; without the
handshake, A can begin at Step 3.
To protect K from exposure between the time it is generated and the time it
is enciphered under A's and B's private keys, K should be generated as a random
number R in ciphertext as described in the preceding section [see Eq. (3.14)].
Ehrsam, Matyas, Meyer, and Tuchman [Ehrs78] suggest that R be defined as the
encipherment of K under the master key KMO; that is,
R = EKMo(K ) .
If users' private keys are enciphered under a variant master key K M 1 , as described
in Section 3.7.1 for terminal master keys, K can be deciphered and reenciphered
under A's and B's private keys using the reencipher from master key operation
r f m k [Eq. (3.11)].
It is desirable to distribute the server S over the network so that all keys do
not have to be registered at a single site, and so that no single file contains all
private keys. This general approach is used in the protocols given by Ehrsam,
Matyas, Meyer, and Tuchman [Ehrs78] for use in the system described in Section
3.7.1. Here the host systems for the users exchange an enciphered session key R.
176 CRYPTOGRAPHIC TECHNIQUES
Each host then uses the r f r n k instruction to transmit R to its respective user's
terminal, enciphered under the terminal master key K M T (users' private keys are
used for data encryption only, not for key exchange). The hosts exchange R using
the r f m k and r t m k operations as follows. Let H A be the host for A and H B the host
for B, and let K M O A and K M O B be their respective master keys. H A and H B share a
secondary communication key K N C . K N C is stored as W A = E K M 1 A ( K N C ) at H A
(for key forwarding) and as ~ = E K M 2 B ( K N C ) at H a (for key receiving). The
encrypted key K is given by R = EKMo , ( K ) . H A uses the r f m k instruction to
forward R to H B, and H B uses the r t m k ~ i n s t r u c t i o n to receive R. The complete
protocol is as follows:
r f m k ( W A, R ) = E x N c ( R ) .
. H B obtains R by computing
r t m k ( W B, E m v c ( R ) ) = R .
H A sends to A:
Z A = r f m k ( Y A , R ) = EKMTA ( K ) ,
where K M T A is A's terminal master key, and IrA -- EKM1A(KMTA) • A obtains
K by deciphering Z A.
Similarly, H~ sends to B:
Z B = r f m k ( Y B, R ) = EKMTB(K) ,
where K M T B is B's terminal master key, and YB = E K M 1 B ( K M T s ) • B obtains
K by deciphering Z a.
The scheme is also used to distribute session keys to nodes or processes rather than
terminals.
Diffie and Hellman [Diff76] and Merkle [Merk78] have proposed an ap-
proach that allows users to exchange session keys directly. Diffie's and Hellman's
scheme is based on the computational difficulty of computing discrete logarithms
(see Section 2.7.1). The first user, A, picks a random value x A in the interval [0,
p - 1], where p is prime (p may be publicly available to all users). The second
user, B, also picks a random value xB in the interval [0, p - 1]. Then A sends to B
the value
YA = axA mod p,
for some constant a. For sufficiently large values of xA and xB (e.g., 664 bits), the
fastest known algorithms for computing the discrete logarithm function are intrac-
table, whence xA and xB cannot be practically computed from YA and YB (see Sec-
tion 2.7.1). After the y's are exchanged, A computes the session key
/
KEY MANAGEMENT 177
K = (yB)xA mod p
= (a xB mod p ) xA mod p
= a xAx8 mod p ,
K = D A B ( R ) , lAB = DK(RAB) ,
where DAB is the DES deciphering transformation with key KAB. A sends to B
the plaintext
(A, R, RAs) .
2. B obtains YA and computes KAB = (ys) ~A rood p. B computes
K = D A B ( R ) , lAB = DK(RAB) •
B modifies lAB in a predetermined way to get I~ n and computes
X- EK(I'AB) •
B generates a random value RSA, computes
1BA = DK(RsA ) ,
and sends (X, RBA) to A.
3. A deciphers X to get D K ( X ) = I,~ B. This confirms receipt of IAB by B. A
computes
IsA = DK(RBA ) •
A modifies IBA in a predetermined way to get IRA, computes
y- EK(I'BA ) ,
178 CRYPTOGRAPHIC TECHNIQUES
and sends Y to B.
0 B deciphers Y to get D K ( Y ) = I~A, confirming receipt of IB,4 by A.
Note that all ciphertext transmitted between A and B is enciphered under the
session key K, which is likely to have a much shorter lifetime than the shared
key KAs.
Computation of the public keys YA and Ye and the private key KAB is imple-
mented in GF(2") using n = 127 and irreducible polynomial p ( x ) = x 127 + x + 1
(see Section 1.6.3). Recall that implementation in GF(2 ") was also suggested for
the Pohlig-Hellman exponentiation cipher, where computation of YA -- axA mod p
corresponds to the encryption of plaintext a using encryption key x A (see Section
2.7.1).
The MITRE demonstration system provides both central and local public-
key distribution modes. With central key distribution, a user acquires public keys
directly from the key distribution center each time the user wants to establish a
secure connection. With local key distribution, the public key directory is down-
loaded to the user's system and stored in local memory. This has the advantage of
relieving the central facility of participating in every connection. The demonstra-
tion system also provides a non-directory mode corresponding to the original Dif-
fie-Hellman proposal, where the public values are exchanged directly by the users.
This mode is suitable when active wiretapping does not pose a serious threat.
A public-key cryptosystem can also be used to exchange session keys
[Diff76,Merk80]. Following the timestamp protocol in [Denn81b], let CA and CB
®(A,B)
public keys
( ~ CA =Ds(A, EA,T 1)
e] B
be A's and B's certificates [Eq. (3.13)], signed by S. A and B can exchange a key
K with the following protocol (also refer to Figure 3.27):
(G, G , x ) ,
where X = EB(DA(K, T)), and DA is A's private deciphering transformation.
Q B checks CB, gets A's public transformation E A from CA, and computes
= (K, T ) ,
where DB is B's private transformation.
For added protection, the protocol can be extended to include a handshake be-
tween B and A, following the approach described for the centralized key distribu-
tion protocol. Of course, in a public-key system users can send messages directly
using each other's public keys (obtained from certificates). The protocol would be
used only if conventional encryption of messages is needed for performance
reasons.
If the public keys are distributed among multiple hosts in a network, then the
protocol must be extended slightly to allow exchange of certificates among the
hosts. In Step 2, if A's host S does not have B's public key, it could dispatch a
message to B's host requesting a certificate for B.
For additional reading on protocols for secure communication and key ex-
change, see Davies and Price [Davs79,Pric81], Kent [Kent78,Kent76], and Popek
and Kline [Pope79]. Protocols for secure broadcast scenario are examined in Kent
[Kent81].
Ultimately, the safety of all keys stored in the system--and therefore the entire
system--may depend on a single master key. This has two serious drawbacks.
First, if the master key is accidently or maliciously exposed, the entire system is
vulnerable. Second, if the master key is lost or destroyed, all information in the
system becomes inaccessible. The latter problem can be solved by giving copies of
the key to "trustworthy" users. But in so doing, the system becomes vulnerable to
betrayal.
=
180 CRYPTOGRAPHIC TECHNIQUES
The w shadows are given to w users. Because t shadows are required to reconstruct
the key, exposure of a shadow (or up to t - 1 shadows) does not endanger the key,
and no group of less than t of the users can conspire to get the key. At the same
time, if a shadow is lost or destroyed, key recovery is still possible (as long as there
are at least t valid shadows). Such schemes are called (t, w) threshold schemes
[Sham79], and can be used to protect any type of data. Blakley [Blak79] pub-
lished the first threshold scheme, which was based on projective geometry. The
following subsections describe two other approaches.
t t (x- Xij )
h(x)= ~ K~s ~ modp. (3.17)
j
j-as
THRESHOLD SCHEMES 181
Because arithmetic is in GF(p), the divisions in Eq. (3.17) are performed by com-
puting inverses rood p and multiplying.
Example:
L e t t = 3, w = 5, p = 17, K = 13, and
h(x) = (2x 2 + 10x + 13) mod 17
with random coefficients 2 and 10. Evaluating h(x) at x = 1. . . . , 5 , we get
five shadows"
Kl=h(1)= (2+ 10+ 13) m o d 1 7 = 25 mod 17 = 8
K2=h(2)= (8+20+ 13) m o d 1 7 = 41 rood 17 = 7
K3 = h(3) = (18 + 30 + 13) mod 17 = 6 1 m o d 1 7 = 10
K4 = h(4) = (32 + 40 + 13) mod 17 = 85 mod 17 = 0
K~ = h(5) = (50 + 50 + 13) mod 17 = 113 mod 17 = 11 .
We can reconstruct h(x) from any three of the shadows. Using K1, Ks, and
Ks, we have:
[8 (x - 3) (x - 5) + 10 ( x - l) (x - 5) + 11 (x - 1) (x - 3) mod 17
(-2) (-4) (2) ( - 2 ) (4) (2) a
]
I
= [8 * inv(8, 1 7 ) , ( x - 3) ( x - 5)
+ 10 • inv(-4, 17) • (x - 1) (x - 5)
+ 11 • inv(8, 1 7 ) , ( x - 1) ( x - 3)] rood 17
-- [8,15,(x- 3) ( x - 5) + 1 0 , 4 , ( x - 1) ( x - 5)
+ 11,15,(x- 1) ( x - 3)] mod 17
= [ ( x - 3) ( x - 5) + 6 ( x - 1) ( x - 5) + 1 2 ( x - 1) ( x - 3)] mod 17
- [19x 2 - 92x + 81] mod 17
= 2 x 2 + 1 0 x + 13 . I
Example:
Consider the field GF(28) with irreducible polynomial
p(x) = x 3 + x + 1 = 1011 (in binary)
The elements of GF(23) are binary strings of length 3. Let t = 2, w = 3,
K = 011, and
182 CRYPTOGRAPHIC TECHNIQUES
We can reconstruct h(x) from any two of the shadows. Using K1 and K2,
we have
a ( x - 010) a (x - 001)
h(x) = _[11"(001 - 010) + 01"(010 - 001)] mod 1011
[ - 010) + 0 1 0 ( x - 001)] mod 1011
= llO'(X 011 011 "
The size of each shadow K i does not substantially exceed the size of the key
K [there may be some key expansion in GF(p), because p must be larger
than K].
For fixed K, additional shadows can be created without changing existing
ones just by evaluating h(x) at more values of x. A shadow can also be
destroyed without affecting other shadows.
Q A shadow can be voided without changing K by using a different polynomial
h(x) with the same constant term. Voided shadows cannot be used unless
there are at least t of them derived from the same polynomial.
0 A hierarchical scheme is possible, where the number of shadows given to
each user is proportional to the user's importance. For example, a company
president can be given three shadows, each vice-president two, and so forth.
. Key recovery is efficient, requiring only O(t 2) operations to evaluate Eq.
(3.17) using standard algorithms, or O(t log 2 t) operations using methods
discussed in [Knut69,Aho74].
THRESHOLD SCHEMES 183
Asmuth and Bloom [Asmu80] have proposed a threshold scheme based on the
Chinese Remainder Theorem (see Theorem 1.8 in Section 1.5.2). In their scheme
the shadows are congruence classes of a number associated with K. Let
1. p>K
2. dl < d2 < ' " < dw
3. g c d ( p , di) = 1 for all i
4. gcd(d~, dj) = 1 for i -~ j
5. d~dz . . . dt > pdw-t+2 dw-t+a . . . dw .
Requirements (3) and (4) imply the set of integers is pairwise relatively prime.
Requirement (5) implies the product of the t smallest d i is larger than the product
of p and the t - 1 largest d r Let n = dldz • .. dt be the product of the t smallest d r
Thus n / p is larger than the product of any t - 1 of the d r Let r be a random
integer in the range [0, ( n / p ) - 1]. To decompose K into w shadows, K ' = K + rp
is computed; this puts K ' in the range [0, n - 1]. The shadows are then as follows:
K= K'-rp . (3.20)
If only t - 1 shadows Ki~, . . . , Kit_~ are known, K' can only be known
modulo
nz = d i l d i 2 . . , dit_ 1 •
Because n / n z > p and gcd(n2, p) = 1, the numbers x such that x <_ n and x ~ , z
K ' are evenly distributed over all the congruence classes modulo p; thus, there is
not enough information to determine K'.
Example:
LetK= 3, t = 2, w = 3, p = 5, d~ = 7, d z = 9, a n d d ~ = l l . Then
n =did2 = 7.9 = 63 > 5 . 11 = p d 3
184 ABFDEFGHIIJKLMMNOHPP
Thus,
K=K'-rp=48-9*5=3 . I
/
EXERCISES 18 5
over finite fields. (See [Blak81] for a study of security proofs for threshold
schemes.)
Whereas cryptosystems achieve computational security, threshold schemes
achieve unconditional security by not putting enough information into any t - 1
shadows to reconstruct the key. Blakley [Blak80] has shown the one-time pad can
be characterized as a t = 2 threshold scheme protecting a message M. Here, the
sender and receiver each has a copy of the pad M~, which serves as one shadow.
The second shadow, constructed by the sender and transmitted to the receiver, is
given by the ciphertext M2 = M ~ Ma. Both M~ and M2 are needed to reconstruct
M. The interesting point is that classifying the one-time pad as a key threshold
scheme explains how it can achieve perfect security when no other cryptosystem
can.
EXERCISES
3.1 Suppose the ith ciphertext c~ is deleted from a direct access file enciphered
with a synchronous stream cipher, and that the remainder of the file is
deciphered and reenciphered using the original key stream, where c~+~is now
enciphered under k~, c~+~under k~+~, and so forth. Show that all key elements
kj and plaintext elements mj (j ~ i) can be determined from the original and
updated ciphertext if m~ is known.
3.2 Let M = 100011 and C = 101101 be corresponding bit streams in a known
plaintext attack, where the key stream was generated with a 3-stage linear
feedback register. Using Eq. (3.2) solve for H to get the tap sequence T.
3.3 Describe methods for breaking Vigen~re's autokey ciphers.
3.4 Let d~ = 3, d2 = 5, and d3 = 7 be read subkeys in the scheme described in
Section 3.4.2. Using Eq. (3.3), find write subkeys e~, e2, and es. Using Eq.
(3.4), encipher a record having fields m~ = 2, m2 = 4, and m3 = 3 (do not
bother adding random strings to each field). Show that all three fields can be
deciphered using only their read subkeys in Eq. (3.5). Using ez and d2 in Eq.
(3.6), modify the ciphertext so that the second field has the value 3 instead
of 4. Show that all three fields can be extracted from the modified ciphertext
using only their read subkeys.
3.5 Consider the subkey scheme described in Section 3.4.2. Let C~ and C2 be two
ciphertext records of t fields each, and suppose the first t - 1 fields in each
record are updated as defined by Eq. (3.6). Letting C'~ and C~ denote the
updated ciphertext records, show how the read key d t can be determined for
the tth field from the original and updated ciphertext records.
3.6 Complete the proof of Theorem 3.1 in Section 3.5.2 by showing how the
exact value of i can be determined.
3.7 Consider a privacy homomorphism for the system of natural numbers with
addition, multiplication, and test for equality. Given a ciphertext element i',
show that it is possible to determine whether the corresponding plaintext
element i is equal to an arbitrary constant n in O(n) time without using any
constants.
186 CRYPTOGRAPHIC TECHNIQUES
3.8 Give the authentication path for the user with key K6 in Figure 3.24. Show
how these values can be used to compute H(1, 8).
3.9 Consider Shamir's key threshold scheme based on Lagrange interpolating
polynomials in GF(p). Let t = 4, p = 11, K = 7, and
h ( x ) = ( x 3 + 10x 2 + 3 x + 7) rood 11 .
Using Eq. (3.16), compute shadows for x = 1,2, 3, and 4. Using Eq. (3.17),
reconstruct h ( x ) from the shadows.
3.10 Consider Shamir's key threshold scheme based on Lagrange interpolating
polynomials in GF(28) with irreducible polynomial p ( x ) = x 8 + x + 1
= 1011. Let t = 3, K = 010, and
h ( x ) = (001x 2 + 011x + 010) mod 1011 .
Compute shadows for x = 001, 011, and 100. Reconstruct h ( x ) from the
shadows.
3.11 Consider Asmuth's and Bloom's key threshold scheme based on the Chinese
Remainder Theorem. Let t = 2, w = 4, p = 5, dl = 8, d2 = 9, d3 = 11, and d4
= 13. Then n = 8 • 9 = 72. Let K = 3 and r = 10, whence K' = 53. Using
Eq. (3.18), decompose K' into four shadows, K1, K2, K~, and K4. Using Eq.
(3.19) and Eq. (3.20), reconstruct K from K1 and K2, and from K~ and K4.
3.12 Class C o m p u t e r Project." Implement one of the key threshold schemes.
3.13 Consider a synchronous stream cipher where the ith key element k i of a
stream K is a block given by
k i= (i+ 1) d m o d n ,
where d is the private key to an RSA cipher and n is public. Thus,
K = kt, k2, ks, k4, k5. . . .
= 2 d, 3 d, 4 d, 5 d, 6 d. . . . (mod n) .
where n = p q for large primes p and q, the d i are pairwise relatively prime
and relatively prime to 4~(n), S is secret, and SVdi mod n is the d~th root of S
mod n. An example of a stream is
K = S V 3, $1/5, S1F . . . . (mod n).
REFERENCES
Aho74. Aho, A., Hopcroft, J., and Ullman, J., The Design and Analysis of Computer
Algorithms, Addison-Wesley, Reading, Mass. (1974).
Ardi70. Ardin, B. W. and Astill, K. N., Numerical Algorithms, Addison-Wesley, Reading,
Mass. (1970).
Asmu80. Asmuth, C. and Bloom, J., "A Modular Approach to Key Safeguarding," Math.
Dept., Texas A&M Univ., College Station, Tex. (1980).
Bara64. Baran, P., "On Distributed Communications: IX. Security, Secrecy, and Tamper-
Free Considerations," RM-3765-PR, The Rand Corp., Santa Monica, Calif. (1964).
Baye76. Bayer, R. and Metzger, J. K., "On the Encipherment of Search Trees and Random
Access Files," ACM Trans. on Database Syst. Vol. 1(1) pp. 37-52 (Mar. 1976).
Blak79. Blakley, G. R., "Safeguarding Cryptographic Keys," Proc. NCC, Vol. 48, AFIPS
Press, Montvale, N.J., pp. 313-317 (1979).
Blak80. Blakley, G. R., "One-Time Pads are Key Safeguarding Schemes, Not Cryptosys-
tems," Proc. 1980 Syrup. on Security and Privacy, IEEE Computer Society, pp. 108-
113 (Apr. 1980).
Blak81. Blakley, G. R. and Swanson, L., "Security Proofs for Information Protection Sys-
tems," in Proc. 1981 Syrup. on Security and Privacy, IEEE Computer Society pp.
75-88 (Apr. 1981).
Bloo81. Bloom, J. R., "A Note on Superfast Threshold Schemes," Math. Dept., Texas
A&M Univ., College Station, Tex. (1981).
Bran75. Branstad, D. K., "Encryption Protection in Computer Communication Systems,"
Proc. 4th Data Communications Syrup., pp. (8-1)-(8-7) (1975).
Bran78. Branstad, D. K., "Security of Computer Communication," IEEE Comm. Soc.
Mag. Vol. 16(6) pp. 33-40 (Nov. 1978).
Brig76. Bright, H. S. and Enison, R. L., "Cryptography Using Modular Software Ele-
ments," Proc. NCC, Vol. 45, AFIPS Press, Montvale, N.J., pp. 113-123 (1976).
188 CRYPTOGRAPHIC TECHNIQUES
Brig80. Bright, H. S., "High-Speed Indirect Cryption," Cryptologia Vol. 4(3) pp. 133-139
(July 1980).
Camp78. Campbell, C. M., "Design and Specification of Cryptographic Capabilities,"
IEEE Comm. Soc. Mag. Vol. 16(6) pp. 15-19 (Nov. 1978).
Chai74. Chaitin, G. J., "Information-Theoretic Limitations of Formal Systems," J. A C M
Vol. 21(3) pp. 403-424 (July 1974).
Chau81. Chaum, D. L., "Untraceable Electronic Mail, Return Addresses, and Digital
Pseudonyms," Comm. ACM Vol. 24(2) pp. 84-88 (Feb. 1981).
Cont72. Conte, S. D. and deBoor, C., Elementary Numerical Analysis, McGraw-Hill, New
York (1972).
Davi79. Davida, G. I., Wells, D. L., and Kam, J. B., "A Database Encryption System with
Subkeys," TR-CS-78-8, Dept. of Electrical Eng. and Computer Science, The Univ.
of Wisconsin, Milwaukee, Wis. (May 1979).
Davi80. Davida, G. I., DeMillo, R. A., and Lipton, R. J., "Protecting Shared Cryptograph-
ic Keys," Proc. 1980 Syrup. on Security and Privacy, IEEE Computer Society, pp.
100-102 (Apr. 1980).
Davs79. Davies, D. W. and Price, W. L., "A Protocol for Secure Communication," NPL
Report NACS 21/79, National Physical Lab., Teddington, Middlesex, England
(Nov. 1979).
DeMi78. DeMillo, R., Lipton, R., and McNeil, L., "Proprietary Software Protection," pp.
115-131 in Foundations of Secure Computation, Academic Press, New York (1978).
Denn79. Denning, D. E., "Secure Personal Computing in an Insecure Network," Comm.
ACM Vol. 22(8) pp. 476-482 (Aug. 1979).
Denn81a. Denning, D. E. and Schneider, E B., "Master Keys for Group Sharing," Info.
Proc. Let. Vol. 12(1) pp. 23-25 (Feb. 13, 1981).
Denn81b. Denning, D. E., Meijer, H., and Schneider, E B., "More on Master Keys for
Group Sharing," Info. Proc. Let. (to appear).
Denn81c. Denning, D. E. and Sacco, G. M., "Timestamps in Key Distribution Protocols,"
Comm. ACM Vol. 24(8) pp. 533-536 (Aug. 1981).
Diff76. Diffie, W. and Hellman, M., "New Directions in Cryptography," IEEE Trans. on
Info. Theory Vol. IT-22(6) pp. 644-654 (Nov. 1976).
Diff79. Diffie, W. and Hellman, M., "Privacy and Authentication: An Introduction to
Cryptography," Proc. IEEE Vol. 67(3) pp. 397-427 (Mar. 1979).
Dole81. Dolev, D. and Yao, A. C., "On the Security of Public Key Protocols," Proc. 22nd
Annual Syrup. on the Foundations o f Computer Science, (1981 ).
Ehrs78. Ehrsam, W. E, Matyas, S. M., Meyer, C. H., and Tuchman, W. L., "A Crypto-
graphic Key Management Scheme for Implementing the Data Encryption Stan-
dard," IBM Syst. J. Vol. 17(2) pp. 106-125 (1978).
Evan74. Evans, A. Jr., Kantrowitz, W., and Weiss, E., "A User Authentication Scheme
Not Requiring Secrecy in the Computer," Comm. ACM Vol. 17(8) pp. 437-442
(Aug. 1974).
Feis73. Feistel, H., "Cryptography and Computer Privacy," Sci. Am. Vol. 228(5) pp. 15-
23 (May 1973).
Feis75. Feistel, H., Notz, W. A., and Smith, J. L., "Some Cryptographic Techniques for
Machine to Machine Data Communications," Proc. IEEE Vol. 63(11) pp. 1545-
1554 (Nov. 1975).
Flyn78. Flynn, R. and Campasano, A. S., "Data Dependent Keys for a Selective Encryp-
tion Terminal," pp. 1127-1129 in Proc. NCC, Vol. 47, AFIPS Press, Montvale, N.J.
(1978).
GSA77. "Telecommunications: Compatibility Requirements for Use of the Data Encryp-
REFERENCES 189
Centre," NPL Report DNACS 43/81, National Physical Lab., Teddington, Middle-
sex, England (Apr. 1981).
Purd74. Purdy, G. P., "A High Security Log-in Procedure," Comm. ACM Vol. 17(8) pp.
442-445 (Aug. 1974).
Reed73. Reed, I. S., "Information Theory and Privacy in Data Banks," Proc. NCC Vol. 42,
AFIPS Press, Montvale, N.J., pp. 581-587 (1973).
Rive78a. Rivest, R. L., Adleman, L., and Dertouzos, M. L., "On Data Banks and Privacy
Homomorphisms," pp. 169-179 in Foundations of Secure Computation, ed. R. A.
DeMillo et al., Academic Press, New York (1978).
Rive78b. Rivest, R. L., Shamir, A., and Adleman, L., "A Method for Obtaining Digital
Signatures and Public-Key Cryptosystems," Comm. ACM Vol. 21(2) pp. 120-126
(Feb. 1978).
Salt78. Saltzer, J., "On Digital Signatures," Oper. Syst. Rev. Vol. 12(2) pp. 12-14 (Apr.
1978).
Sava67. Savage, J. E., "Some Simple Self-Synchronizing Digital Data Scramblers," Bell
System Tech. J., pp. 448-487 (Feb. 1967).
Scha79. Schanning, B. P., "Data Encryption with Public Key Distribution," EASCON '79
Conf. Record, pp. 653-660 (Oct. 1979).
Scha80. Schanning, B. P., Powers, S. A., and Kowalchuk, J., "Memo: Privacy and Authen-
tication for the Automated Office," Proc. 5th Conf. on Local Computer Networks,
pp. 21-30 (Oct. 1980).
Sham79. Shamir, A., "How to Share a Secret," Comm. ACM Vol. 22(11) pp. 612-613
(Nov. 1979).
Sham81. Shamir, A., "On the Generation of Cryptographically Strong Pseudo-Random
Sequences," Dept. of Applied Math., The Weizmann Institute of Science, Rehovot,
Israel (1981 ).
Turn73. Turn, R., "Privacy Transformations for Databank Systems," Proc. NCC, Vol. 42,
AFIPS Press, Montvale, N.J., pp. 589-600 (1973).
Wilk75. Wilkes, M. V., Time-Sharing Computing Systems, Elsevier/MacDonald, New
York (1968; 3rd ed., 1975).
Zier68. Zierler, N. and Brillhard, J., "On Primitive Trinomials (Mod 2)," Info. and Con-
trol Vol. 13 pp. 541-554 (1968).
Zier69. Zierler, N. and Brillhard, J., "On Primitive Trinomials (Mod 2)," Info. and Con-
trol Vol. 14 pp. 566-569 (1969).
4
Access Controls
Access controls ensure that all direct accesses to objects are authorized. By regu-
lating the reading, changing, and deletion of data and programs, access controls
protect against accidental and malicious threats to secrecy, authenticity, and sys-
tem availability (see Chapter 1).
Many access controls incorporate a concept of ownership--that is, users may
dispense and revoke privileges for objects they own. This is common in file systems
intended for the long-term storage of user data sets and programs. Not all applica-
tions include this concept; for example, patients do not own their records in a
medical information system.
The effectiveness of access controls rests on two premises. The first is proper
user identification: no one should be able to acquire the access rights of another.
This premise is met through authentication procedures at login as described in
Chapter 3. The second premise is that information specifying the access rights of
each user or program is protected from unauthorized modification. This premise is
met by controlling access to system objects as well as to user objects.
In studying access controls, it is useful to separate policy and mechanism. An
access control policy specifies the authorized accesses of a system; an access con-
trol mechanism implements or enforces the policy. This separation is useful for
three reasons. First, it allows us to discuss the access requirements of systems
independent of how these requirements may be implemented. Second, it allows us
to compare and contrast different access control policies as well as different
mechanisms that enforce the same policies. Third, it allows us to design mecha-
nisms capable of enforcing a wide range of policies. These mechanisms can be
integrated into the hardware features of the system without impinging on the
flexibility of the system to adapt to different or changing policies.
191
192 ACCESS CONTROLS
S is a set of subjects, which are the active entities of the model. We will
assume that subjects are also considered to be objects; thus S _c O.
O is a set of objects, which are the protected entities of the system. Each
object is uniquely identified by a name.
A is an access matrix, with rows corresponding to subjects and columns to
objects. An entry A [s, o] lists the access rights (or privileges) of subject s for
object o.
Example:
Figure 4.1 illustrates the state of a simple system having two processes
(subjects), two memory segments, and two files. Each process has its own
private segment and owns one file. Neither process can control the other
process, m
. /
ACCESS-MATRIX MODEL 193
Objects
M1 M2 F1 F2 P1 P2
R Own
P1 W R
E W
Subjects
R Owtl
P2 W R
E E
Graham and Denning associate with each type of object a monitor that
controls access to the object. The monitor for an object o prevents a subject s from
accessing o when A [s, o] does not contain the requisite right. A monitor can be
implemented in hardware, software, or some combination of hardware and soft-
ware. An example of a monitor is the hardware that checks an address to deter-
mine if it is within the memory bounds associated with a process. Another example
is the file system monitor that validates requests for file accesses.
Protection within a program is modeled with a more refined matrix in which
the subjects are procedures (or activations of procedures), and the objects are data
structures and procedures. The access rights for a data object are determined by
the operations and procedures that may be applied to objects of that type. For
example, the access rights for an integer variable consist of the arithmetic and
relational operators (+, *, < , etc.) and assignment (:=); the rights for an integer
constant (or variable passed by value) exclude assignment. Note that the right to
apply the assignment operator is granted by W-access to an object, whereas the
right to apply the remaining operators is granted by R-access to the object.
The access rights for a programmer-defined object of type stack may be
restricted to push and pop procedures, so the program cannot manipulate the
underlying representation of the stack (e.g., to delete an element from the middle
of the stack). The pop and push procedures, however, have access to the represen-
tation of stacks.
The protection provided by language structures must be enforced by both the
language processor and the run-time system. The language processor is responsible
for screening out specification errors (e.g., violations of syntax, type, and scope
rules). The run-time system is responsible for screening out execution errors (e.g.,
linkage errors, binding errors, addressing errors, or I / O errors). The system also
provides protection in case of changes to compiled programs. If access checking is
implemented in hardware, it can be performed in parallel with program execution,
and need not degrade the performance of the system. The strongest protection
comes from a combination of compiler and system support: the compiler prevents
programs with detectable specification errors from executing; the system ensures
that programs execute according to their specifications and to the current protec-
tion state.
194 ACCESS CONTROLS
In database systems, the subjects correspond to users and the objects to files,
relations, records, or fields within records. Each entry A [s, o] is a decision rule,
specifying the conditions under which user s may access data object o, and the
operations that s is permitted to perform on o.
The decision rules are a generalization of the concept of access rights. The
rules may specify both data-independent conditions, which are analogous to the
rights in operating systems, and data-dependent conditions, which are a function of
the current values of the data being accessed. For example, permitting a user to
alter the contents of only those student records for which the Department field is
Physics is an example of a data-dependent condition. The concept of dependency
may be extended to include time-dependent conditions, which are functions of the
clock (e.g., a user may be permitted to access the payroll records between 9 and 5
only), context-dependent conditions, which are functions of combinations of data
(e.g., a user may be permitted to see student grades or student names, but not
pairs of names and grades), and history-dependent conditions, which are functions
of previous states of the system (e.g., a process may not be allowed to write into an
unclassified file if it previously processed classified data) [Hart76]. In general, a
decision may depend on any available information describing the present or past
state of the system.
The decision rules are similar to the control procedures described in Hoff-
man's [Hoff71] formulary model. In Hoffman's system, all security is enforced by
a set of database access procedures called formularies. A formulary consists of
control procedures that determine whether to grant an access request, addressing
procedures that map logical names into virtual addresses, and encryption and
decryption procedures. Hoffman's formularies are like the object monitors de-
scribed by Graham and Denning.
Q ~ o p Q'
(read "Q derives Q' under o p " ) .
Harrison, Ruzzo, and Ullman consider commands of the following form:
command c(x ~ , . . . , x k)
if r~ in A [ x ~ , Xo~] and
r2 in A[x~2, Xoz] and
r m in A[Xsm, Xo~]
then
opt;
opz;
196 ACCESS CONTROLS
oPn
end,
where rl, . . . , rm are rights, and s l, . . . , sm and ol . . . . , om are integers between
1 and k. A command may have an empty set of conditions (i.e., m - 0). We
assume, however, that each command performs at least one operation.
The effect of a command on the state of a protection system is as follows. Let
c ( a ~ , . . . , ak) be a command with actual parameters a1. . . . . ak, and let Q = (S, O,
A) be a state of a protection system. Then Q yields state Q' under c, written
where opt denotes the primitive operation opi, substituting the actual param-
eters ai for the formal parameters x~.
We shall write Q I--CQ' if there exist actual parameters al, • . . , ak such that Q
~-c(al ..... ak) Q'; and Q t- Q' if there exists a command c such that Q F-c Q'. Finally,
we shall write Q t-* Q' if there exists a sequence of length n ~ 0: Q = Q0 I-- Q 1 F . . .
F-Q,=Q'.
The access-matrix model is an abstract representation of the protection poli-
cies and mechanisms found in real systems. As such, it provides a conceptual aid to
understanding and describing protection systems, a common framework for com-
paring different protection systems, and a formal model for studying the inherent
properties of protection systems. Some mechanisms are more easily described by
other models, however. We shall later use graphs to describe mechanisms that
involve the transfer of rights.
Protection systems should not be implemented using the matrix and associ-
ated commands. One reason is there are much better ways of representing the
access state of a system than with a matrix that is likely to be large and sparse.
Another is that the commands are too primitive for most applications.
Example:
We shall show how the model can be used to describe the transfer of rights in
operating systems with processes, segments, and owned files, as illustrated by
Figure 4.1. Our example is similar to the one given by Harrison, Ruzzo, and
Ullman.
Any process may create a new file. The process creating a file is auto-
matically given ownership of the file and R W-access to the file. This is
represented by the command:
ACCESS-MATRIX MODEL 197
command create.file(p, f)
create object f;
enter Own into A [p, f ] ;
enter R into A[p, f];
enter W into A [p, f]
end.
The process owning a file may change its rights to the file. For example, a
process p owning a file f can protect f from inadvertent modification by
removing its W-access to f It may also confer any right to the file (except
ownership) on other processes. For example, R-access may be conferred by
process p on process q with the command:
command confer.read(p, q, f)
if Own in A[p, f]
then enter R into A[q,.lf]
end.
command revoke.read(p, q, f)
if Own in A[p, f]
then delete R from A [q, f ]
end.
command transfer.read(p, q, f)
if R , in A[p, f]
then enter R into A[q, f]
end.
198 ACCESS CONTROLS
command revoke.subordinate.read(p, q, f)
if Ctrl in A[p, q]
then delete R from A [q, f ]
end.
Objects
M1 M2 M3 F1 F2 P1 P2 P3
,
R Own
P1 W R
E W i
, , ,!, ,
R Own
Subjects P2 W R Ctrl
w
P3
A configuration of the access matrix describes what subjects can do--not neces-
sarily what they are authorized to do. A protection policy (or security policy)
partitions the set of all possible states into authorized versus unauthorized states.
The next example shows how a simple policy regulating message buffers shared by
two communicating processes can be formally described in terms of authorized
states.
Example:
The following specifies that for every message buffer b, there exists exactly
one process p that can write into the buffer and one process q that can read
from the buffer (see Figure 4.3).
Whether a state is authorized can depend on the previous state and the
command causing the state transition"
Example:
Consider the system described in the previous section. The following speci-
fies that no subject can acquire access to a file unless that right has been
explicitly granted by the file's owner:
Let Q = (S, O, A) be an authorized state such that Own e A [ p , )q for
subject p and file f, but r ¢ A[q, j ] for subject q and right r. Let Q' = (S',
O', A') be a state such that r E A'[q, j] and Q I% Q'. Then Q' is authorized
if and only if
c = confer.read(p, q, J3 • I
The access control mechanisms of a system enforce the system's security policies
by ensuring that the physical states of the system correspond to authorized states
of the abstract model. These mechanisms must monitor all accesses to objects as
well as commands that explicitly transfer or revoke rights. Otherwise, the system
could enter a physical state that does not correspond to an authorized state of the
model. For example, a subject could bypass a file system and issue a read request
directly to the physical location of a file on disk. The security mechanisms must
also ensure that the physical resource states correspond to logical object states of
the model. Systems that do not clear memory between use, for example, may
expose data to unauthorized subjects.
The security mechanisms of a system may be overprotective in the sense of
preventing entry to an authorized state or of denying an authorized access. For
example, a system might never allow a subject access to a file unless the subject
owns the file. Systems that are overprotective are secure, but may not satisfy other
requirements of the system.
The preceding requirements are summarized with the aid of Figure 4.4. Let
S be the set of all possible states, and let P be the subset of S authorized by the
protection policies of the system. Let R be the subset of S that is reachable with
the security mechanisms in operation. The system is secure if R C P; that is, if all
reachable states are authorized. The system is precise (not overprotective) if R
= P; that is, if all authorized states are reachable (see Figure 4.4).
After discussing the general requirements of security mechanisms, we shall
describe particular mechanisms. We shall then turn to the problem of designing
ACCESS CONTROL MECHANISMS 201
All States
Authorized States
S (given policy)
Unauthorized States
Reachable States
(given mechanism)
Secure' R c p
Precise: R = P
systems whose security can be verified. Finally, we shall examine theoretical ques-
tions related to proving properties about the transfer of rights in abstract models.
shared data
own I =
suon
another subject s2 (see Figure 4.5). Alternatively, s may fear that S 1 will simply
misuse its privileges--for example, Sl could read x and broadcast its contents to
other subjects (see Figure 4.6). The second problem does not fall under the scope
of an access control policy, however, because it involves the transfer of information
rather than the transfer of rights; controls for information flow are studied in the
next chapter.
Most systems have facilities for sharing originals of programs or data. On-
line database systems often allow multiple users simultaneous access to a common
database. Most operating systems allow concurrent processes to execute the same
code and access global system tables or file directories.
There are several reasons for sharing originals of data (or programs) rather
than just copies. A principal reason is to save space. Another is to save time that
shared data
OWn
read
broadcast
,, . . I¸¸
ABFDEFGHIIJKLMMNOHPP 203
~ ~Horse /
',,r..2p /
would otherwise be needed to make duplicates or transfer updates to a master
copy. A third reason is to ensure each subject has a consistent, up-to-date view of
the data.
Protecting originals of data imposes additional requirements on the security
mechanisms, however, because a subject with write-access to the original might
destroy the data. Concurrent accesses to the data must be controlled to prevent
writing subjects from interfering with other subjects.
If programs are shared, the protection problem is considerably more complex
than if only data is shared. One reason is a Trojan Horse may be lurking inside a
borrowed program. A Trojan Horse performs functions not described in the pro-
gram specifications, taking advantage of rights belonging to the calling environ-
ment to copy, misuse, or destroy data not relevant to its stated purpose (see Figure
4.7). A Trojan Horse in a text editor, for example, might copy confidential infor-
mation in a file being edited to a file accessible to another user. The attack was
first identified by D. Edwards and described in the Anderson report [Ande72].
The term Trojan Horse is often used to refer to an entry point or "trapdoor"
planted in a system program for gaining unauthorized access to the system, or to
any unexpected and malicious side effect [Lind75]. Protection from Trojan Horses
requires encapsulating programs in small domains with only the rights needed for
the task, and no more.
Even if encapsulated, a borrowed program may have access to confidential
parameters passed by the calling subject s. The program could transmit the data to
the program's owner s', or retain it in objects owned by s' for later use (see Figure
4.8). For example, a compiler might make a copy of a proprietary software pro-
gram. A program that cannot retain or leak its parameters is said to be memory-
less or confined.
Lampson [Lamp73] was the first to discuss the many subtleties of the con-
finement problem. As long as a borrowed program does not have to retain any
204 ACCESS CONTROLS
own confidential
parameters
call
read
write
own ! I transmit
own
program
borrower
own confidential
data
;teal
I
I
mutual
suspicion
I proprietary
program
I P
steal
own
program
owner
Saltzer and Schroeder identified several design principles for protection mecha-
nisms [Salt75]"
1. Least privilege: Every user and process should have the least set of access
rights necessary. This principle limits the damage that can result from error
or malicious attack. It implies processes should execute in small protection
domains, consisting of only those rights needed to complete their tasks.
When the access needs of a process change, the process should switch do-
mains. Furthermore, access rights should be acquired by explicit permission
only; the default should be lack of access (Saltzer and Schroeder called this a
"fail-safe" default). This principle is fundamental in containing Trojan
Horses and implementing reliable programs; a program cannot damage an
object it cannot access.
2. Economy of mechanism: The design should be sufficiently small and simple
that it can be verified and correctly implemented. Implementing security
mechanisms in the lowest levels of the system (hardware and software) goes
a long way toward achieving this objective, because the higher levels are then
supported by a secure base. This means, however, security must be an inte-
gral part of the design. Attempting to augment an existing system with
security mechanisms usually results in a proliferation of complex mecha-
nisms that never quite work. Although the system must be sufficiently flexi-
ble to handle a variety of protection policies, it is better to implement a
simple mechanism that meets the requirements of the system than it is to
implement one with complicated features that are seldom used.
3. Complete mediation: Every access should be checked for authorization. The
mechanism must be efficient, or users will find means of circumventing it.
4. Open design: Security should not depend on the design being secret or on the
ignorance of the attackers [Bara64]. This principle underlies cryptographic
systems, where the enciphering and deciphering algorithms are assumed
known.
5. Separation of privilege: Where possible, access to objects should depend on
more than one condition being satisfied. The key threshold schemes dis-
cussed in Section 3.8 illustrate this principle; here more than one shadow is
needed to restore a key.
6. Least common mechanism: Mechanisms shared by multiple users provide
potential information channels and, therefore, should be minimized. This
principle leads to mechanisms that provide user isolation through physically
separate hardware (distributed systems) or through logically separate virtual
machines [Pope74,Rush81 ].
7. Psychological acceptability: The mechanisms must be easy to use so that
they will be applied correctly and not bypassed. In particular, it must not be
substantially more difficult for users to restrict access to their objects than it
is to leave access to them unrestricted.
~ r//'¸
ACCESS HIERARCHIES 207
Most existing systems implement some form of privileged mode (also called super-
visor state) that gives supervisor programs an access domain consisting of every
object in the system. The state word of a process has a 1-bit flag indicating
whether the process is running in privileged mode or in nonprivileged (user) mode.
A process running in privileged mode can create and destroy objects, initiate and
terminate processes, access restricted regions of memory containing system tables,
and execute privileged instructions that are not available to user programs (e.g.,
execute certain I / O operations and change process statewords). This concept of
privileged mode is extended to users in U N I X , where a "super user" is allowed
access to any object in the system.
The protection rings in M U L T I C S are a generalization of the concept of
supervisor state [Grah68,Schr72,Orga72]. The state word of a process p specifies
an integer ring number in the range [0, r - 1]. Each ring defines a domain of
access, where the access privileges of ring j are a subset of those for ring i, for all
0 _< i < j _< r - 1 (see Figure 4.10). The supervisor state has r = 2.
Supervisor states and ring structures are contrary to the principle of least
privilege. Systems programs typically run with considerably more privilege than
they require for their tasks, and ring 0 programs have full access to the whole
system. A single bug or Trojan Horse in one of these programs could do consider-
able damage to data in main memory or on disk.
There are numerous examples of users who have exploited a design flaw that
enabled them to run their programs in supervisor state or plant a Trojan Horse in
some system module. For example, Popek and Farber [Pope78] describe an "ad-
208 ACCESS CONTROLS
The scope rules of languages such as ALGOL, PL/I, and Pascal automatically
give inner program units (e.g., procedures and blocks) access to objects declared in
enclosing units--even if they do not require access to these objects. The inner
program units are, therefore, much like the inner rings of MULTICS. Whereas
objects declared in the inner units are hidden from the rest of the program, objects
declared in the outer units may be accessible to most of the program.
Example:
Consider the program structure shown in Figure 4.11. The inner program
unit S1 has access to its own local objects as well as global objects declared
in the enclosing units R1, Q1, and P1 (as long as there are no name con-
flicts). No other unit can access objects local to $1 unless they are explicitly
passed as parameters by $1. The outermost unit P1 has access only to the
AUTHORIZATION LISTS 209
R1
R2
Q1
02
P1
objects declared in P1, though these objects are global to the entire pro-
gram. II
Programs that exploit the full capabilities of nested scopes are often difficult
to maintain. An inner unit that modifies a global data object has side effects that
can spread into other units sharing the same global objects. Changes to the code in
the innermost units can affect code in the other units. Changes to the structure of
a global object can affect code in the innermost units of the program.
Some recent languages have facilities for restricting access to objects in
enclosing program units. In Euclid [Lamp76a], for example, a program unit can
access only those objects that are accessible in the immediately enclosing unit and
either explicitly imported into the unit (through an imports list) or declared
pervasive (global) in some enclosing block. A d a t has a similar facility, where a
restricted program unit can access only those objects declared in an enclosing unit
and included in the visibility list for the unit.
Authorization List
S1, Fl
$2, r2
s,, r, .
Authorization lists are typically used to protect owned objects such as files. Each
file has an authorization list specifying the names (or IDs) of users or user groups,
and the access rights permitted each. Figure 4.12 illustrates.
The owner of a file has the sole authority to grant access rights to the file to
other users; no other user with access to the file can confer these rights on another
user (in terms of the abstract model, the copy flag is off). The owner can revoke
(or decrease) the access rights of any user simply by deleting (or modifying) the
user's entry in the authorization list.
M U L T I C S uses authorization lists to protect segments in long-term storage
[Dale65,Bens72,Orga72]. Each segment has an access-control list.with an entry
for each user permitted access to the segment. Each entry in the list indicates the
File Directory
i i,i
/ ~ i User ID Rights
ART Own, RI¥
PAT RW
ROY R
SAM R
file
F
/
AUTHORIZATION LISTS 211
type of access (read, write, or execute) permitted, together with the range of rings
(bracket) over which this permission is granted"
(rl, r2)--the read bracket, rl _< r2
(wl, w2)--the write bracket, W 1 ~ W 2
(el, e2)--the execute bracket, el .~ ez •
A process executing in ring i (see previous section) is not allowed access to a
segment unless the user associated with the process is listed in the access-control
list, and i falls within the range corresponding to the type of access desired.
In the SWARD system, authorization lists are associated with access sets for
objects [Buck80]. Users can group objects together into object sets, and then
define access sets over objects, object sets, and other access sets.
Example:
Figure 4.13 illustrates an access set for the object sets X, Y, and Z. The
access set A 1 is defined by the expression X + Y - Z, which evaluates left-
to-right to the set of objects {a2, c} (duplicate names in Y are removed; thus
al, the first version of a, is not included). Because the set A 1 is defined by an
expression, its constituency can change as objects are added to or deleted
from the object sets X, Y, and Z. II
To access an object, a user must specify the name of the object and an access
Access Set A 1
X+Y-Z
x ~ YJI. ~ z
object sets
a2
objects
212 ACCESS CONTROLS
root
e • pjd
set. The user is granted access to the object only if it is included in the access set;
in addition, the authorization list for the set must have an entry for the user with
the appropriate access rights.
In UNIX, each file has an authorization list with three entries: one specify-
ing the owner's access rights; a second specifying the access rights of all users in
the owner's group (e.g., faculty, students, etc.), and a third specifying the access
rights of all others [Ritc74]. The access rights for each entry include R, IF, and E,
(E is interpreted as "directory search" for directory files). The U N I X file system
has a tree-structured directory, and files are named b y p a t h s in the tree.
Example:
Figure 4.14 shows a portion of the tree structure for the U N I X file system
that contains the working version of this book. A user (other than ded)
wishing to read Chapter 4 must specify the path n a m e / u s r / d e d / b o o k / c h 4 .
Access is granted provided the user has E-access to the directories usr, ded,
and book, and R-access to the file ch4. il
Many systems use authorization lists with only two entries: one specifying
the owner's access rights, and the other specifying the access rights of all others.
The access rights in these systems are usually limited to R and IF.
These degenerate forms of authorization lists do not meet the objective of
least privilege. Nevertheless, they are efficient to implement and search, and ade-
quate for many applications.
AUTHORIZATION LISTS 213
4.4.2 Revocation
The authorization lists we have described so far have the advantage of giving the
owner of an object complete control over who has access to the object; the owner
can revoke any other user's access to the object by deleting the user's entry in the
list (though the revocation might not take effect immediately as noted earlier).
This advantage is partially lost in systems that use authorization lists to support
nonowned objects, and allow any user to grant and revoke access rights to an
object.
An example of such a system is System R [Grif76], a relational database
system [Codd70,Codd79] developed at the IBM Research Laboratory in San Jose.
The protected data objects of System R consist of relations, which are sets (tables)
of n-tuples (rows or records), where each n-tuple has n attributes (columns). A
relation can be either a base relation, which is a physical table stored in memory,
or a view, which is a logical subset, summary, or join of other relations.
Example:
An example of a relation is
Student (Name, Sex, Major, Class, SAT, GP).
Each tuple in the Student relation gives the name, sex, major, class, SAT
score, and grade-point of some student in the database (see Table 6.1 in
Chapter 6). II
Read." for reading rows of the table, using the relation in queries, or
defining views based on the relation.
Insert: for adding new rows to a table.
214 ACCESS CONTROLS
Any user A with access rights to a table can grant these rights to another user B
(provided the copy flag is set). A can later revoke these rights, and the state of the
system following a revocation should be as if the rights had never been granted.
This means that if B has subsequently granted these rights to another user C, then
C's rights must also be lost. In general, any user who could not have obtained the
rights without the grant from A to B must lose these rights.
To implement this, each access right granted to a user is recorded in an
access list called Sysauth. Sysauth is a relation, where each tuple specifies the
user receiving the right, the name of the table the user is authorized to access, the
type of table (view or base relation), the grantor making the authorization, the
access rights granted to the user, and a copy flag (called a Grant option). Each
access right (except for Update) is represented by a column of Sysauth and indi-
cates the time of the grant (a time of 0 means the right was not granted). The
timestamps are used by the revocation mechanism to determine the path along
which a right has been disseminated.
The column for Update specifies All, None, or Some. If Some is specified,
then for each updatable column, a tuple is placed in a second authorization table
called Syscolauth. It is unnecessary to provide a similar feature for Read, because
any subset of columns can be restricted through the view mechanism. For exam-
ple, access only to Name, Sex, Major, and Class for the Student relation can be
granted by defining a view over these attributes only (i.e., excluding SAT and
GP).
Note that the authorization list for a particular relation X can be obtained
from Sysauth by selecting all tuples such that Table = X.
Example:
The following shows the tuples in Sysauth that result from a sequence of
grants for a relation X created by user A. (Columns for table type and the
rights Delete, Update, and Drop are not shown.)
B X A 10 10 yes
D X A 15 0 no
C X B 20 20 yes
D X C 30 30 yes .
User B obtained both Read and Insert access to X from A at time t = 10,
and passed both rights to C at time t = 20. User D obtained Read access to X
from A at time t = 15, and both Read and Insert access to X from C at time
t = 30. Whereas D can grant the rights received from C, D cannot grant the
Read right received from A. n
AUTHORIZATION LISTS 215
10 ~ 20 ~ 30
Griffiths and Wade [Grif76] use directed graphs to illustrate the transfer
and revocation of rights for a particular relation. Each node of a graph represents
a user with access to the relation. Each edge represents a grant and is labeled with
the time of the grant; we shall also label an edge with the rights transferred.
Example:
Figure 4.15 shows a graph for the relation X of the previous example. Sup-
pose that at time t = 40, A revokes the rights granted to B. Then the entries
in Sysauth for both B and C must be removed because C received these
rights from B. Although D is allowed to keep rights received directly from A,
D must forfeit other rights received from C. The final state of Sysauth is
thus:
D X A 15 0 no . II
Example:
Figure 4.16 illustrates a more complicated situation, where B first grants
rights to C received from A (t = 15), and then later grants rights to C
received from D (t = 25). The state of Sysauth is thus:
15
m
10 R,I
m
R.I 25
m
R,I
2,/R
216 ACCESS CONTROLS
D Y A 5 0 yes
B Y A 10 10 yes
C Y B 15 15 yes
B Y D 20 0 yes
C Y B 25 25 yes . n
Example:
Suppose A revokes the Read and Insert rights given to B. B should be al-
lowed to keep the Read right received from D, and C should be allowed to
keep the Read right received from B at time t = 25 that was passed along the
path (A, D, B, C). Both B and C, however, must forfeit their Insert rights.
The final state of Sysauth should therefore be:
D Y A 5 0 yes
B Y D 20 0 yes
C Y B 25 0 yes .
. . . . . . . .
If the duplicate entry at time t = 25 had not been recorded in Sysauth, C's
Read right for Y would have been lost. n
4.5 CAPABILITIES
Xn~ Fn
where ri gives the rights in A [s, xi] of the access matrix. The C-list for s, therefore,
represents the nonempty entries in row s of the access matrix.
Example:
Figure 4.17 illustrates a C-list that provides read/execute-access (RE) to the
code for procedure A, read-only-access (R) to data objects B and C, and
read/write-access (RW) to data object D. The diagram shows each capabili-
ty pointing directly to an object; the mapping from capabilities to object
locations is described in Section 4.5.3. m
procedure
code
Rights Object
C - list
218 ACCESS CONTROLS
Dennis and VanHorn envisaged a mechanism for supporting small protection do-
mains and abstract data types. A principal feature of their mechanism was an
enter capability (denoted by the access right Ent). An enter capability points to a
C-list and gives the right to transfer into the domain defined by the C-list. Enter
capabilities provide a mechanism for implementing protected entry points into
calling
Rights Object 2 . y procedure
RE
RW
I data
i
segment
Ent [
call C - list
Calling Domain
called
Object. procedure
turn
RE m
RW
data
segment
C -list
Called Domain
CAPABILITIES 219
An abstract data type is a collection of objects and operations that manipulate the
objects. Programming languages that support abstract data types have facilities
for defining a type module that specifies:
Abstract data types are also called extended-type objects, because they extend the
basic built-in types of a programming language. Languages that support abstract
data types include Simula 67 [Dah172], CLU [Lisk77], Alphard [Wulf76], MOD-
EL [Morr78], and Ada. These languages are sometimes called "object-oriented"
languages.
Example:
Figure 4.19 shows the principal components of a type module for a stack of
integer elements, implemented as a sequential vector; all procedures are
available outside the module. II
module stack
constant size = 100;
type stack =
record of
top: integer, init 0;
data: array[1 .. size] of integer;
end;
procedure push(vat s: stack; x: integer);
begin
s.top := s.top + 1;
if s.top > size
then "stack overflow"
else s.data[s.top] := x
end;
procedure pop(var s: stack): integer;
begin
if s.top = 0
then "stack underflow"
else begin
pop := s.data[s.top];
s.top := s.top - l;
end
end;
procedure empty(var s: stack): boolean;
begin
if s.top = 0
then empty := true
else empty := false
end
end stack
s ~
ABF DEF GHIIJKL MMNOHP P 221
calling procedure
RE
Pop, Push ...,,...,...........41, stack S
Empty
Ent ",
Calling C - l i s t ~ ~ pop
procedure
C - list for
pop procedure
Before call
After call
RE J
RW
C - list for
Activation o f pop
Example:
Let S be an instance of type stack as defined in Figure 4.19. Figure 4.20
shows a calling C-list with Pop, Push, and Empty rights to S, and an Ent
right for the pop procedure. The C-list for the pop procedure has an amplifi-
cation template that allows it to amplify the pop right in a capability for a
stack to R W. When the pop procedure is called with parameter S, a C-list
for the activation of pop is created with R W rights for S (activation C-lists
are analogous to procedure activation records). II
222 ACCESS CONTROLS
f
RE ,~
RE
Calling C - list RW
C - list for S TM
stack
S
Program
seal unseal
stack
module
CAPABILITIES 223
Example:
A process owning a stack S would be given a ticket for S and activators for
popping and pushing arbitrary stacks. The type module, on the other hand,
would be given activators for reading and writing the representation of
stacks; these activators can be applied to the stack S if the process owning S
passes the ticket for S to the type module. The activators within the type
module serve the same purpose as the templates used in HYDRA. II
instruction address
cap offset Object Length Base
i .i '] 1
Rights Object
---''" B+i
Capability
B+L-I
,/
t
Descriptor Table I
f
t
f
I
t
I
Memory
A capability does not usually index the mapping table directly. Instead it
gives the unique name of the object, and this name is hashed to a slot in the table.
This has special advantages when programs are shared or saved in long-term
storage. Because the capabilities are invariant, the program can run in any domain
at any time without modification. All variant information describing the location
of the program and the objects referenced by it is kept in a central descriptor table
under system control.
This property of invariance distinguishes capability systems from segmented
virtual memory systems based on codewords and descriptors. In a descriptor-
addressed system, a program accesses an object through a local address that points
directly to an entry in the descriptor table. (Access rights are stored directly in the
descriptors.) If local addresses refer to fixed positions in the descriptor table,
sharing requires the participants to prearrange definitions (bindings) of local ad-
dresses. (See [Fabr71b,Fabr74] for a detailed discussion of capability-based
addressing.)
The capabilities and hashed descriptor table need not significantly degrade
addressing speed. Information in the descriptor table can be stored in high-speed
associative registers, as is done for virtual memories. Table lookup time can be
reduced by picking object names that hash to unique slots in the table (in
SWARD, this is done by incrementing a counter until the value hashes to an
empty slot).
With capability-based addressing, subjects sharing an object need only store
a capability to an entry point in the structure, and different subjects can have
different entry points and different access rights.
226 ACCESS CONTROLS
RW ° Dll
R
RWi
D1 i
RW ,,, D12
_
R
P 1 C - list
RW ,, D2
D3
D31
Directories
Files
P 2 C - list
Example:
Figure 4.24 shows a process P1 with an R W-capability for the root D of a file
directory. To read file F1, P1 would first get the R W-capability for directory
D1 from D; it would then get the R W-capability for D ll from D1, and
finally get an R-capability for F1 from D11. Similarly, P1 can acquire capa-
bilities to access other files in the directory or to modify directories ad-
dressed by RW-capabilities (namely, D, D1, Di 1, and D3). Process P1 can
share the subdirectory D3 with a process P2 by giving it an R-capability for
the subdirectory D3; thus P2 can only access files F5 and F6; it cannot
modify any of the directories. !1
/
CAPABILITIES 227
4.5.4 Revocation
Capabilities are easy to copy and disseminate, especially when they are stored in a
tagged memory rather than in C-lists. This facilitates sharing among procedures
or processes. There is, however, a drawback to this if objects are owned, and the
owners can revoke privileges. If all access rights to an object are stored in a single
user: c.j Rw x,
owner:
C'
wIx,
Revoke
l -1 .! object
C RW X scriptor Table
228 ACCESS CONTROLS
user: I Rw
[Rw ! - .[ o ect
owner:
C [ RW scriptor Table
authorization list, it is relatively simple to purge them. But if they are scattered
throughout the system, revocation could be more difficult.
Redell [Rede74] proposed a simple solution to this problem based on indirect
addressing. The owner of an object X with capability C creates a capability C'
with name X'. Rather than pointing to the object directly, the entry for X' in the
descriptor table points to the entry for X. The owner grants access to X by giving
out copies of the capability C' (see Figure 4.25). If the owner later revokes C', the
entry for X' is removed from the descriptor table, breaking the link to X. The
indirect capabilities of SWARD can also be used for revocation. Here the user is
given an indirect capability I that points to a copy C1 of the owner's capability for
X. The owner revokes access to X by changing C1 (see Figure 4.26).
Ln, rn .
A subject s is given a key K i to lock L;if s has r;-access to x; that is, if A Is, x ] = r i.
A lock list, therefore, represents a column of the access matrix, where identical
(nonempty) entries of the column can be represented by a single pair (L/, r/). A
key for an object represents a form of capability in which access is granted only if
the key matches one of the locks in the object's lock list. The owner of an object
can revoke the access rights of all subjects sharing a key K; by deleting the entry
CAPABILITIES 229
for L i in the lock list. Typically n - 1; that is, an object contains a single lock. In
this case, a key is like an indirect capability, because the owner can revoke the key
by changing the lock.
This method of protection resembles the "storage keys" used in IBM Sys-
tem/360 [IBM68]; the program status word of a process specifies a 4-bit key that
must match a lock on the region of memory addressed by the process.
The ASAP file maintenance system designed at Cornell uses locks and keys
[Conw72]. Each field in a record has associated with it one of eight possible
classes (locks). Users are assigned to one or more of the classes (keys), and can
only access those fields for which they have a key. There is also associated with
each user a list of operations (e.g., Update, Print) the user is allowed to perform,
and a set of data-dependent access restrictions. Whereas the data-independent
restrictions are enforced at compile-time, the data-dependent restrictions are en-
forced at run-time.
Encryption is another example of a lock and key mechanism. Encrypting
data places a lock on it, which can be unlocked only with the decryption key.
Gifford [Gift82] has devised a scheme for protecting objects with encryption,
which he calls cryptographic sealing. Let X be an object encrypted with a key K;
access to X, therefore, requires K. Access to K can be controlled by associating an
opener R with X. Openers provide different kinds of sharing, three of which are as
follows:
D i ( D 2 ( . . . Dn_i(Dn(R) ) . . . ) ) = K .
, Quorum-Access, where K can be recovered from any subset of t of the D~ in a
list D1. . . . , D.. Here R is defined by the list
R = (E~(Ka), E2(Kz) . . . . , En(K .)),
where each K i is a shadow of K in a (t, n) threshold scheme (see Section 3.8).
The different types of access can be combined to give even more flexible
forms of sharing. The scheme also provides mechanisms for constructing submas-
230 ACCESS CONTROLS
ter keys and indirect keys (that allow keys to be changed), and providing check-
sums in encrypted objects (for authentication--see Section 3.4). It can be used
with both single-key and public-key encryption.
Example:
An example of an expression is E = " S e x = Female". A request to retrieve
this group of records from a table S t u d e n t is specified by the query:
Retrieve, S t u d e n t , ( S e x = F e m a l e ) . II
Example:
If a user is permitted to retrieve only the records of students in the depart-
ment of computer science, then S = " D e p t = C S " , and the preceding request
would be transformed to:
Retrieve, S t u d e n t , ( S e x = F e m a l e ) • (Dept = C S ) . II
/
VERIFIABLY SECURE SYSTEMS 231
requested allowed
The technique has the advantage of being conceptually simple and easy to
implement, yet powerful enough to handle complex access constraints. It is, how-
ever, a high-level mechanism applicable only at the user interface. Lower-level
mechanisms are needed to ensure the transaction programs do not violate their
constraints, and to ensure users cannot circumvent the query processor.
The presence of protection mechanisms does not guarantee security. If there are
errors or design flaws in the operating system, processes may still be able to
acquire unauthorized access to objects or bypass the protection mechanisms. For
example, a user may be able to bypass an authorization list for a file stored on disk
by issuing I/O requests directly to the disk.
In the 1960s, the Systems Development Corporation (SDC) developed an
approach for locating security flaws in operating systems [Lind75]. The method-
ology involves generating an inventory of suspected flaws called "flaw hypothe-
ses", testing the hypotheses, and generalizing the findings to locate similar flaws.
SDC applied the technique to locate and repair flaws in several major systems (see
also [Hebb80] for a more recent application).
Most flaws satisfy certain general patterns; for example, a global variable
used by the supervisor is tampered with between calls, and the supervisor does not
check the variable before use. The University of Southern California Information
Sciences Institute (ISI) has developed tools (some automatic) for finding these
error patterns in operating systems [Carl75].
Penetration analysis (sometimes called a "tiger team" approach) has helped
locate security weaknesses. But like program testing, it does not prove the absence
of flaws.
232 ACCESS CONTROLS
//
VERIFIABLY SECURE SYSTEMS 233
user mode
pplicatiOffl [ Application
Program | ! Program
KISS ! \ KISS
supervisor
mode
~untApplication Program~N~
rustedSys°tremSoftwa~ usermode
UNIXEmulator supervisormode
kernelmode
cesses cannot directly pass capabilities. The policy manager relies on a separate
process (called a "dialoguer") to establish a secure connection between a user and
terminal. The security policies and mechanisms of the system, therefore, are in-
vested in the kernel, the policy manager, and the dialoguer (shown highlighted in
Figure 4.28).
The kernel supports four types of objects: capabilities, processes, pages, and
devices. It does not support type extensibility through abstract data types. Capa-
bilities are implemented in software. The kernel is small (compared with other
kernels), consisting of less than 2000 lines of code. The system architecture also
includes a resource scheduler and network manager for the ARPANET.
Figure 4.29 shows the architecture of KSOS. Like the UCLA kernel, the
KSOS kernel is at the lowest level and runs in kernel mode. But the KSOS kernel
is substantially larger than the UCLA kernel, providing more operating system
functions, file handling, and a form of type extension (the kernel is closer to a
complete operating system than a simple reference monitor). The kernel enforces
both an access control policy and the multilevel security policy.
A UNIX emulator and a "trusted" portion of nonkernel system software run
in supervisor mode and interface directly with the kernel. The emulator translates
system calls at the UNIX interface into kernel calls. Untrusted (nonverified) sys-
VERIFIABLY SECURE SYSTEMS 235
tem software and application programs run in user mode and interface with the
UNIX emulator or directly with the kernel. They can communicate with trusted
processes through interprocess communication messages provided by the kernel.
The trusted software consists of support services such as login, the terminal inter-
face, and the telecommunications interface; and security mechanisms for applica-
tions with policies that conflict with the multilevel security policies of the kernel
(see Section 5.6.3 for an example). Trusted processes are at least partially verified
or audited.
Security kernels have also been used to structure database systems. Downs
and Popek [Down77] describe a database system that uses two security kernels: a
"kernel input controller", which processes user requests at the logical level, and a
"base kernel", which accesses the physical representation of the data. All security
related operations are confined to the kernels. Separate (nonverified) data man-
agement modules handle the usual data management functions, such as selecting
access methods, following access paths, controlling concurrent accesses, and for-
matting data. The base kernel is the only module allowed to access the database.
The basic idea is to decompose a system (or security kernel) into a linear hierarchy
of abstract machines, M0, . . . , Mn. Each abstract machine M i (0 < i ~ n) is
implemented by a set of abstract programs Pi-1 running on the next lower level
machine Mi_ 1. Thus the programs at level i depend only on the programs at levels
0 . . . . . i - 1. They are accessible at level i + 1, but may be invisible at levels above
that. The system is verified one level at a time, starting with level 0; thus verifica-
tion of each level can proceed under the assumption that all lower levels are
correct. The general approach originated with Dijkstra [Dijk68], who used it to
structure the "THE" (Technische Hoogeschule Eindhoven) multiprogramming
system.
The Provably Secure Operating System (PSOS), designed at SRI under the
direction of Peter Neumann, has a design hierarchy with 17 levels of abstraction
(see Figure 4.30) [Feie79,Neum80]. PSOS is a capability-based system support-
ing abstract data types. Because capabilities provide the basic addressing and
protection mechanisms of the system, they are at the lowest level of abstraction.
All levels below virtual memory (level 8) are invisible at the user interface, except
for capabilities and basic operations (level 4). In the first implementation, levels 0
through 8 are expected to be implemented in hardware (or microcode) along with
a few operations at the higher levels.
Imposing a loop-free dependency structure on a system design is not always
straightforward (see [Schr77]). Some abstractions--for example, processes and
memory--are seemingly interdependent. For example, the process manager de-
pends on memory for the storage of process state information; the virtual memory
manager depends on processes for page swaps. Because neither processes nor
memory can be entirely below the other, these abstractions are split into "real"
236 ACCESS CONTROLS
Level Abstractions
Command interpreter
User environments and name space
User input/output
Procedure records
User processes and visible input/output
Creation and deletion of user objects
Directories
Abstract data types
Virtual memory (segmentation)
Paging
System processes and system input/output
Primitive input/output
Basic arithmetic and logical operations
Clocks
Interrupts
Real memory (registers and storage)
Capabilities
and "virtual" components. In PSOS, real memory is below processes, but a few
fixed (real) system processes with real memory are below virtual memory. User
(virtual) processes are above virtual memory. (In PSOS, the design hierarchy is
also separated from the implementation hierarchy.)
4.6.3 Verification
s
VERIFIABLY SECURE SYSTEMS 237
module stack;
Vfun top() : integer;
"primitive V-function giving the index
of the top of the stack"
hidden;
initially: top = O;
exceptions: none;
Vfun data(i: integer) : integer;
"primitive V-function giving the value
of the ith element of the stack"
hidden;
initially: 'V'i (data(i) = undefined);
exceptions: (i < O) or (i > size);
Vfun empty() : boolean;
"derived V-function giving status of stack"
derived: if top = 0 then true else false;
Ofun push(x: integer);
"push element x onto top of stack"
exceptions: top >_ size;
effects: 'top = top + 1;
'data('top) = x;
'v'j ~ 'top, 'data(j) = data(j)
end stack
A function can both perform an operation and return a value, in which case it is
called an OV-function. Functions may be either visible or invisible (hidden) outside
the module. Primitive V-functions are always hidden.
The specification of a function lists exceptions which state abnormal condi-
tions under which the function is not defined. The implementation must ensure the
code for the function is not executed when these conditions are satisfied (e.g., by
making appropriate tests).
Example:
Figure 4.31 shows a specification of a module for a subset of the s t a c k
module shown in Figure 4.19. A V-function name preceded by a prime (')
refers to the value of the V-function after the transition caused by the effects
of an O-function; the unprimed name refers to its original value. Specifica-
tion of the pop operation is left as an exercise. II
SO. Interface Definition. The system interface is defined and decomposed into a
set of modules. Each module manages some type of system object (e.g.,
segments, directories, processes), and consists of a collection of V-, and O-
functions. (Formal specifications for the functions are deferred to Stage $2.)
The security requirements of the system are formulated. For PSOS, these
requirements are described by two general principles:
a. Detection Principle: There shall be no unauthorized acquisition of
information.
b. Alteration Principle: There shall be no unauthorized alteration of
information.
These are low-level principles of the capability mechanism; each type man-
ager uses capabilities to enforce its own high-level policy.
S1. Hierarchical Decomposition. The modules are arranged into a linear hierar-
chy of abstract machines M0, . . . , M, as described in Section 4.6.i. The
consistency of the structure and of the function names is verified.
$2. Module Specification. Formal specifications for each module are developed
as described. Each module is verified to determine if it is self-consistent and
satisfies certain global assertions. The basic security requirements of the
system are represented as global assertions and verified at this stage. For
PSOS, the alteration and detection principles are specified in terms of capa-
bilities providing read and write access.
$3. Mapping Functions. A mapping function is defined to describe the state
space at level i in terms of the state space at level i - 1 (0 < i ~ n). This is
written as a set of expressions relating the V-functions at level i to those at
level i - 1. Consistency of the mapping function with the specifications and
the hierarchical decomposition is verified.
$4. Implementation. Each module is implemented in hardware, microcode, or a
high-level language, and the consistency of the implementation with the
specifications and mapping function is verified. Implementation proceeds
one level at a time, from the lowest level to the highest. Each function at
level i is implemented as an abstract program which runs on machine Mi_ 1.
Each abstract program is verified using Floyd's [Floy67] inductive-
assertion method, which is extended to handle V- and O-function calls. Entry
and exit assertions are constructed for each program from the specifications.
A program is proved correct by showing that if the entry assertions hold
when the program begins execution, then the exit assertions will hold when
the program terminates, regardless of the execution path through the pro-
gram. The proof is constructed by inserting intermediate assertions into the
program; these define entry and exit conditions for simple paths of the pro-
gram. A simple path is a sequence of statements with a single entry and a
single exit. For each simple path S with entry assertion P and exit assertion
Q, a verification condition (PC) in the form of an implication P' ~ Q' is
derived by transforming P and Q to reflect the effects of executing S. The
program is proved (or disproved) correct by proving (or disproving) the FCs
are theorems. The proof techniques are described in [Robi77]. Program
proving is studied in Section 5.5.
VERIFIABLY SECURE SYSTEMS 239
These requirements are essentially the same as the Detection and Alteration prin-
ciples of PSOS.
The second part involves verifying that the Pascal implementation satisfies
the low-level specifications, and verifying that the specifications at each level are
consistent with each other. Note that whereas for PSOS the implementation is
constructed from the hierarchy of specifications and mapping functions, for
UCLA Secure UNIX it represents a refinement of the bottom-level specifications.
Verification of UCLA Secure UNIX was assisted by the AFFIRM verification
system and its predecessor XIVUS, developed at ISI.
For further reading on specification and verification systems, see Cheheyl,
Gasser, Huff, and Millen [Cheh81]. This paper surveys four systems, including
HDM and AFFIRM. The other two systems are Gypsy, developed at the Universi-
ty of Texas at Austin, and the Formal Development Methodology (FDM) and its
specification language Ina Jo, developed at SDC.
Rushby [Rush81] has proposed a new approach to the design and verifica-
tion of secure systems. His approach is based on a distributed system architecture
that provides security through physical separation of subjects where possible,
trusted modules that control the communication channels among subjects, and a
security kernel that enforces the logical separation of subjects sharing the same
physical resources. Verification involves showing that the communication channels
are used in accordance with the security policies of the system, and that the
subjects become completely isolated when these channels are cut. The latter part,
i '
i
240 ACCESS CONTROLS
Harrison, Ruzzo, and Ullman [Harr76] studied the feasibility of proving proper-
ties about a high-level abstract model of a protection system. They used as their
model the access-matrix model described in Section 4.1; thus, the state of a system
is described by an access matrix A, and state transitions by commands that create
and destroy subjects and objects, and enter and delete rights in A. They defined an
unauthorized state Q to be one in which a generic right r could be leaked into A;
the right would be leaked by a command c that, when run in state Q, would
execute a primitive operation entering r into some cell of A not previously contain-
ing r. An initial state Q0 of the system is defined to be safe for r if it cannot derive
a state Q in which r could be leaked.
Leaks are not necessarily bad, as any system that allows sharing will have
many leaks. Indeed, many subjects will intentionally transfer (leak) their rights to
other "trustworthy" subjects. The interesting question is whether transfer of a
right r violates the security policies of the system. To answer this question, safety
for r is considered by deleting all trustworthy subjects from the access matrix.
Proving a system is safe does not mean it is secure~safety applies oniy to the
abstract model. To prove security, it is also necessary to show the system correctly
implements the model; that is, security requires both safety and correctness. Th~s,
safety relates to only part of the verification effort described in the preceding
section.
Harrison, Ruzzo, and Ullman showed safety is undecidable in a given arbi-
trary protection system. Safety is decidable, however, if no new subjects or objects
can be created. They also showed safety is decidable in a highly constrained class
of systems permitting only "mono-operational" commands, which perform at most
one elementary operation. We first review their results for mono-operational sys-
tems, and then review their results for general systems.
We then consider the prospects for developing a comprehensive theory of
protection (or even a finite number of such theories) sufficiently general to enable
proofs or disproofs of safety. Not surprisingly, we can show there is no decidable
theory adequate for proving all propositions about safety.
These results must be interpreted carefully. They are about the fundamental
limits of our abilities to prove properties about an abstract model of a protection
system. They do not rule out constructing individual protection systems and prov-
ing they are secure, or finding practical restrictions on the model that make safety
questions tractable. Yet, these results do suggest that systems without severe re-
strictions on their operation will have security questions too expensive to answer.
Thus we are forced to shift our concern from proving arbitrary systems secure to
ABFDEFGHIIJKLMMNOHPP 241
designing systems that are provably secure. PSOS, KSOS, U C L A Unix, and the
other systems described in the last section are provably secure only because they
were designed to satisfy specified security requirements. Their security was contin-
ually verified at each stage in the development of the system.
We conclude this chapter with a discussion of safety in systems constrained
by the "take-grant" graph rules. For such systems, safety is not only decidable, but
decidable in time linear in the size of the protection graph.
Theorem 4.1:
There is an algorithm that decides whether a given mono-operational system
and initial state Q0 is safe for a given generic right r.
Crook
We will show that only a finite number of command sequences need be
checked for the presence of a leak. Observe first that we can ignore
command sequences containing delete and destroy operators, since
commands only check for the presence of rights, not their absence.
Thus, if a leak occurs in a sequence containing these commands, then
the leak would occur in one without them.
Observe next that we can ignore command sequences containing
more than one create operator. The reason is that all commands that
enter or check for rights in new positions of the access matrix can be
replaced with commands which enter or check for rights in existing
positions of the matrix; this is done simply by changing the actual
parameters from the new subjects and objects to existing subjects and
objects. It is necessary, however, to retain one create subject command
in case the initial state has no subjects (to ensure that the matrix has at
least one position in which to enter rights).
This means the only command sequences we need consider are
those consisting of enter operations and at most one create subject
operation.
Now, the number of distinct enter operations is bounded by g n s n o,
where g is the number of generic rights, n s = IS01 + 1 is the number
of subjects, and n o = I O0 ] + 1 is the number of objects. Because the
order of enter operations in a command sequence is not important, the
number of command sequences that must be inspected is, therefore,
bounded by:
2 g n s n o +1 .
242 ACCESS CONTROLS
Harrison, Ruzzo, and Ullman show that the general safety problem is undecida-
ble. To prove this result, they show how the behavior of an arbitrary Turing
machine (e.g., see [Aho74,Mins67]) can be encoded in a protection system such
that leakage of a right corresponds to the Turing machine entering a final state.
Therefore, if safety is decidable, then so is the halting problem. Because the halt-
ing problem is undecidable, the safety problem must also be undecidable.
A Turing machine T consists of a finite set of states K and a finite set of tape
symbols £, which includes a blank b. The tape consists of an infinite number of
cells numbered 1, 2 , . . . , where each cell is initially blank. A tape head is always
positioned at some cell of the tape.
The m o v e s of T are specified by a function 6: K X £ ~ K × £ X {L, R}. If ~(q,
X) = (p, Y, R) and T is in state q scanning symbol X with its tape head at cell i,
then T enters state p, overwrites X with Y, and moves its tape head right one cell
(i.e., to cell i + 1). If 6(q, X) = (p, Y, L) the same thing happens, but the tape head
is moved left one cell (unless i = 1).
T begins in an initial state qo, with its head at cell 1. There is also a final
state qf such that if T enters qf it halts. The "halting problem" is to determine
whether an arbitrary Turing machine ever enters its final state. It is well-known
that this problem is undecidable. We shall now show the safety problem is also
undecidable.
Theorem 4.2:
It is undecidable whether a given state of a given protection system is safe
for a given generic right.
Proof:
Let T be an arbitrary Turing machine. We shall first show how to
encode the state of T as an access matrix in a protection system, and
then show how to encode the moves of T as commands of the system.
The tape symbols will be represented as generic access rights, and the
tape cells as subjects of the matrix.
Suppose that T is in state q. At that time, T will have scanned a
THEORY OF SAFE SYSTEMS 243
Tape Head
MachineConfiguration" [ A [ B 1 ~ io1 I.
State • q
1 2 3 4
1 A Own
Owtl
C
Own
q
D
E nd
subject So, corresponding to the first tape cell. The rights in A[s0, So]
include qo, b (since all cells are blank), and End.
The moves of T are represented as commands. A move 6(q, X)
= (p, Y, L) is represented by a command that revokes the right q from
subject s' and grants the right p to subject s, where s' represents the
current position of the tape head, and s represents the cell to the left of
s'. The command, shown next, also substitutes the right Y for the right
X in the cell represented by s'.
command Cqx(S, s')
if
Own in A Is, s'] and
q in A [s', s'] and
X in A [s', s']
then
delete q from A Is', s']
delete X from A[s', s']
enter Yinto A[s',s']
enter p into A[s, s]
end.
A move 6(q, X) = (p, Y, R) is represented by two commands to handle
the possibility that the tape head could move past the current end of
the tape (in which case a new subject must be created). The specifica-
tion of these commands is left as an exercise for the reader.
Now, if the Turing machine reaches its final state qf, then the
right qf will be entered into some position of the corresponding access
matrix. Equivalently, if the Turing machine halts, then the right qf is
leaked by the protection system. Because the halting problem is unde-
cidable, the safety problem must, therefore, also be undecidable. I!
Theorem 4.2 means that the set of safe protection systems is not reeursive;
that is, it is not possible to construct an algorithm that decides safety for all
systems. Any procedure alleged to decide safety must either make mistakes or get
hung in a loop trying to decide the safety of some systems.
We can, however, generate a list of all unsafe systems; this could be done by
systematically enumerating all protection systems and all sequences of commands
in each system, and outputting the description of any system for which there is a
sequence of commands causing a leak. This is stated formally by Theorem 4.3:
Theorem 4.3:
The set of unsafe systems is recursively enumerable. m
We cannot, however, enumerate all safe systems, for a set is recursive if and only if
both it and its complement are recursively enumerable.
Whereas the safety problem is in general undecidable, it is decidable for
finite systems (i.e., systems that have a finite number of subjects and objects).
THEORY OF SAFE SYSTEMS 245
Harrison, Ruzzo, and Ullman prove, however, the following theorem, which im-
plies that any decision procedure is intractable:
Theorem 4. 4:
The question of safety for protection systems without create commands is
PSPACE-complete (complete in polynomial space), m
This means that safety for these systems can be solved in polynomial time
(time proportional to a polynomial function of the length of the description of the
system) if and only if PSPACE = P; that is, if and only if any problem solvable in
polynomial space is also solvable in polynomial time. Although the relationship
between time and space is not well understood, many believe PSPACE ~ P and
exponential time is required for such problems (see Section 1.5.2). The proof of
Theorem 4.4 involves showing any polynomial-space bounded Turing machine can
be reduced in polynomial time to an initial access matrix whose size is polynomial
in the length of the Turing machine input.
Harrison and Ruzzo [Harr78] considered monotonic systems, which are re-
stricted to the elementary operations create and enter (i.e., there are no destroy or
delete operators). Even for this highly restricted class of systems, the safety prob-
lem is undecidable.
Denning, Denning, Garland, Harrison, and Ruzzo [Denn78] studied the implica-
tions of the decidability results for developing a theory of protection powerful
enough to resolve safety questions. Before presenting these results, we shall first
review the basic concepts of theorem-proving systems. Readers can skip this sec-
tion without loss of continuity.
A formal language L is a recursive subset of the set of all possible strings over
a given finite alphabet; the members of L are called sentences.
A deductive theory T over a formal language L consists of a set A of axioms,
where A C L, and a finite set of rules of inference, which are recursive relations
over L. The set of theorems of T is defined inductively as follows:
Theorem 4.5:
Any theory T adequate for proving safety must be undecidable. 1
This theorem follows from Theorem 4.2 by noting that, were there an adequate
decidable T, we could decide whether a protection system p were safe by checking
whether T ~- tp.
Theorem 4.6:
There is no recursively axiomatizable theory T adequate for proving
safety. 1
This theorem follows from Theorems 4.2 and 4.3. If T were adequate and recur-
sively axiomatizable, we could decide the safety of p by enumerating simulta-
neously the theorems of T and the set of unsafe systems; eventually, either tp will
appear in the list of theorems or p will appear in the list of unsafe systems,
enabling us to decide the safety of p.
Theorem 4.6 shows that, given any recursively axiomatizable theory T and
any representation p - - ~ tp of safety, there is some system whose safety either is
established incorrectly by T or is not established when it should be. This result in
itself is of limited interest for two reasons: it is not constructive (i.e., it does not
show us how to find such a p); and, in practice, we may be willing to settle for
inadequate theories as long as they are sound, that is, as long as they do not err by
/i
THEORY OF SAFE SYSTEMS 247
Theorem 4. 7:
Given any recursively axiomatizable theory T and any representation of
safety in T, one can construct a protection system p for which T ~- tp if and
only if p is unsafe. Furthermore, if T is sound, then p must be safe, but its
safety is not provable in T.
/'roof."
Given an indexing {Mit of Turing machines and an indexing {Pi} of
protection systems, the proof of Theorem 4.2 shows how to define a
recursive function f such that
(a) M i halts iff Pf(i) is unsafe.
Since T is recursively axiomatizable and the map p ~ tp is computable,
there is a recursive function g such that
(b) T k- tpi iff Mg(i ) halts;
the Turing machine Mg(t ) simply enumerates all theorems of T, halting
if tpi is found. By the Recursion Theorem [Roge67], one can find effec-
tively an index j such that
(c) Mj halts iff Mg(f(j)) halts.
Combining (a), (b), and (c), and letting p = pf(j), we get
(d) T ~- tp iff MgUU)) halts
iff Mj halts
iff pf(j.) = p is unsafe,
as was to be shown.
Now, suppose T is sound. Then tp cannot be a theorem of T lest p
be simultaneously safe by soundness and unsafe by (d). Hence, T ~ tp,
and p is safe by (d). II
Theorem 4.8:
For the class of protection systems in which the number of objects and
domains of access is bounded, safety (or unsafety) is polynomial verifiable by
some reasonable logical system if and only if PSPACE = NP; that is, if and
only if any problem solvable in polynomial space is solvable in nor_Jetermin-
istic polynomial time. I!
Jones, Lipton, and Snyder [Jone76b] introduced the Take-Grant graph model to
describe a restricted class of protection systems. They showed that for such sys-
tems, safety is decidable even if the number of subjects and objects that can be
created is unbounded. Furthermore, it is decidable in time linear in the size of the
initial state. We shall describe these results, following their treatment in a survey
paper by Snyder [Snyd81a].
As in the access-matrix model, a protection system is described in terms of
states and state transitions. A protection state is described by a directed graph G,
where the nodes of the graph represent the subjects and objects of the system
(subjects are not objects in the take-grant model), and the edges represent rights.
We shall let (x, y) denote the set of access rights on an edge from x to y, where
r E (x, y) means that x has right r for y. If x is a subject, then (x, y) in G is like
A[x, y] in the access matrix.
There are two special rights: take (abbreviated t), and grant (abbreviated g).
If a subject s has the right t for an object x, then it can take any of x's rights; if it
has the right g for x, then it can share any of its rights with x. These rights
describe certain aspects of capability systems. If a subject has a capability to read
from an object x containing other capabilities, then it can take capabili'ies (rights)
from x; similarly, if it has a capability to w_ite into x, it can grant capabilities to x.
Example:
Figure 4.33 shows the graph representation of the directory structure shown
in Figure 4.24. We have used "e" to represent subject nodes, and "o" to
represent object nodes. Note that R and W capabilities for a directory be-
y •
THEORY OF SAFE SYSTEMS 249
FI
R
tg Dll F2
tg
_- ., ..
PI D ~ ", ~' ~o 2 - - . . .' . . . .
- ~0
'OF4
P2
come take and grant rights, respecti~ ely, in the take-grant model, whereas R
and W capabilities for files remain as R and W rights. II
Example:
Figure 4.34 shows only part of the protection state of Figure 4.2. A process
can grant rights for any of its owned files to any other process, so there is an
edge labeled g connecting each pair of processes. But only process P2 is
allowed to take rights from another process, namely its subordinate P3, so
there is only one edge labeled t. Because rights for memory segments cannot
F1 RW PI g P2 RW F2
g tg
g g
P3
250 ACCESS CONTROLS
be granted along the g-edges (memory is not owned and the copy flag is not
set), these rights are not shown. Consequently, the graph does not show P2
can take P3's rights for memory segment M3 (as it did). 1
State transitions are modeled as graph rewriting rules for commands. There
are four rules:
1. Take: Let s be a subject such that t e (s, x), and r e (x, y) for some right r and
nodes x and y. The command
s take r for y from x
adds r to (s, y). Graphically,
f
/ \
t r jr t r
S X y S X y
where the symbol "®" denotes vertices that may be either subjects or
objects.
. Grant: Let s be a subject such that g E (s, x) and r e (s, y) for some right r
and nodes x and y. The command
s grant r for y to x
adds r to (x, y). Graphically,
r
I---
s x y s x y
/./
THEORY OF SAFE SYSTEMS 251
We have stated the commands take, grant, and remove as operations on a single
right r. These commands can also be applied to subsets of rights, as is done in
[Jone76b,Snyd8 la].
Example:
The following commands show how process P1 can create a new file F7 and
add it to the directory D11 shown in Figure 4.33.
~ ~ ~ F 7
RW/
®/.
/
tg Dll
RW
D12
~F3
tg ~ t RW
P1 D~ D2
D3 D31
RW ~F6
P2
252 ACCESS CONTROLS
complexity of the decision procedure. Note that if this question is decidable with a
decision procedure having linear time complexity T = O(n) for an initial graph
with n nodes, then the more general question is decidable within time T = O(n 3)
[only nodes (p and x) existing in the initial graph need be considered].
The safety question is formalized as follows. Given an initial graph Go with
nodes s, x, and p such that r ~ (s, x) and r ¢ (p, x), Go is safe for the right r for x if
and only if r ¢ (p, x) in every graph G derivable from Go (i.e., Go I-* G). We shall
consider the question in two contexts: first, where s can "share" its right with other
nodes (but not necessarily p), and second, where the right must be "stolen" from s.
Given an initial graph Go with nodes p and x such that r ¢ (p, x) in Go, the
predicate can.share(r, x, p, Go) is true if and only if there exists a node s in Go such
that r E (s, x) and Go is unsafe for the right r for x; that is, p can acquire the
right r for x. To determine the conditions under which the predicate can.share is
true, we first observe that rights can only be transferred along edges labeled with
either t or g. Two nodes x and y are tg-connected if there is a path between them
such that each edge on the path is labeled with either t or g (the direction of the
edge is not important); they are directly tg-connected if the path is the single edge
(x, y) or (y, x). Jones, Lipton, and Snyder prove the following sufficient condition
for can.share:
Theorem 4.9:
can.share(r, x, p Go) is true if p is a subject and
/'roof."
There are four cases to consider:
Case 1.
t r
p s x
The first case is simple, as p can simply take the right r from s with the
command:
p take r for x from s
Case 2.
g
p 7 ~x
This case is also simple, as s can grant (share) its right to p with the
command:
s grant r for x to p
/ i
THEORY OF SAFE SYSTEMS
253
C a s e 3.
g r
p 7" x
This case is less obvious, as p cannot acquire the right with a single
command. Nevertheless, with the cooperation of s, p can acquire the
right with four commands:
/
J g r
p s x
p grant g for y to s
y
~ r
- v- 7 ~ ®
p s x
s grant r for x to y
Y
\
r
P s x
tg
p x
\ ~ r ~
/
C a s e 4.
t
P S X
This result is easily extended to handle the case where subjects s and p are tg-
connected by a path of length >_ 1 consisting of subjects only. Letting p = P0, P~,
. . . , pn - s denote the path between p and s, each p; (for i = n - 1, n - 2 . . . . . 0)
can acquire the right from Pi+l as described in Theorem 4.9. It turns out that tg-
connectivity is also a necessary condition for can.share in graphs containing only
subjects; this is summarized in the following theorem:
Theorem 4.1 O:
If Go is a subject-only graph, then can.share(r, x, p, Go) is true if and only if:
If the graph can contain both subjects and objects, the situation is more
complicated. Before we can state results for this case, we must first introduce some
new concepts.
An i s l a n d is any maximal subject-only tg-connected subgraph. Clearly, once
a right reaches an island, it can be shared with any of the subjects on the island.
We must also describe how rights are transferred between two islands.
A tg-path is a path st, o 2 , . . . , on_l, sn of n ~. 3 tg-connected nodes, where sl
and sn are subjects, and o2, . . . , on_l are objects. A tg-semipath is a path s~, o2,
. . . . on of n ~. 2 tg-connected nodes, where s~ is a subject, and o 2 , . . . , on are
objects. Each tg-path or semipath may be described by a word over the alphabet
,g,t, .
Example:
The tg-path connecting p and s in the following graph
t t g t r
. . . . o- o- " ~@
p u v w s x
-----~ -----ff 4---- ~-----
Bridges are used to transfer rights between two islands. The path t t g t in
the preceding example is a bridge; as an exercise, the reader should show how s
can share its right r for x with p.
An initial s p a n is a tg-semipath with associated words in
(-T)* g
The arrows emanate from the subject sl in the semipaths. Note that a bridge is a
composition of initial and terminal spans. The idea is that a subject on one island
THEORY OF SAFE SYSTEMS
255
is responsible for transferring a right over the initial span of a bridge, and a subject
on the other island is responsible for transferring the right over the terminal span;
the middle of the bridge represents a node across which neither subject alone can
transfer rights.
We now have the following theorem:
Theorem 4.11:
The predicate can.share(r, x, p, Go) is true if and only if:
An initial span is used only when p is an object; it allows the transfer of a right
initial s p a n f
g t ~ 11
bridge
12
bridge
f ~----(
terminal span
!
t t t r
Sr S
i ~ i~ ~ :~ ~
256 ACCESS CONTROLS
Theorem 4.12:
There is an algorithm for testing can.share that operates in linear time in the
size of the initial graph, m
The algorithm performs a depth first search of the protection graph (e.g., see
[Aho74]).
We now turn to the question of stealing. Intuitively, a node p steals a right r
for x from an owner s if it acquires r for x without the explicit cooperation of s.
Formally, the predicate can.steal(r, x, p, Go) is true if and only if p does not have r
for x in Go and there exist graphs Gx, . . . , G, such that:
Note, however, that condition (3) does not rule out an owner s from transferring
other rights. Snyder [Snyd81 b] proved the following theorem, which states that a
right must be stolen (taken) directly from its owner:
Theorem 4.13:
can.steal(r, x, p, Go) is true if and only if:
1. There is a subject p' such that p' = p (if p is a subject) or p' initially
spans to p (if p is an object), and
2. There is a node s such that r e (s, x) in Go and can.share(t, s, p', Go) is
true; i.e., p' can acquire the right to take from s. m
This means if a subject cannot acquire the right to take from s, then it cannot steal
a right from s by some other means. Subjects that participate in the stealing are
called conspirators.
If a subject p cannot steal a right for an object x, this does not necessarily
mean the information in x is protected. For example, another subject s may copy
the information in x into another object y that p can read (see Figure 4.37). To
handle this problem, Bishop and Snyder [Bish79] distinguish between de jure
acquisition, where p obtains the read right R for x, and de facto acquisition, where
p obtains the information in x, but not necessarily the right R for x. They intro-
duce four commands to describe information transfer using R, W rights, and show
that de facto acquisition can be described by graphs with certain kinds of R W-
EXERCISES 257
of x)
p s X
paths (analogous to the tg-paths). They also show de facto acquisition can be
decided in time linear in the size of the initial graph. The problem of securing
information flow is discussed in the next chapter.
The take-grant model is not intended to model any particular system or
classes of systems, although it does describe many aspects of existing systems,
especially capability systems. Nevertheless, the results are significant because they
show that in properly constrained systems, safety decisions are not only possible
but relatively simple. Safety is undecidable in the Harrison, Ruzzo, Ullman model
because the commands of a system were unconstrained; a command could, if
desired, grant some right r for x to every subject in the system. The take-grant
model, on the other hand, constrains commands to pass rights only along tg-paths.
Snyder [Snyd77] investigated the problem of designing systems based on the
take-grant model. He showed it is possible to design systems powerful enough to
solve certain protection problems. One of his designs is outlined in the exercises at
the end of this chapter.
Jones suggested an extension to the take-grant model for handling procedure
calls and parameter passing [Jone78]. Her extension associates "property sets"
with subjects and with passive procedure objects that serve as templates for subject
creation. Execution of a procedure call causes a new subject to be created with
rights defined by the templates.
EXERCISES
4.1 Consider the revocation scheme used by System R (see Section 4.4.2), and
suppose Sysauth contains the following tuples for a relation Z created by
user A:
D Z A 5 5 yes
B Z A 10 0 yes
C Z B t5 0 yes
C Z D 20 20 yes
B Z C 30 30 yes
E Z B 40 40 no
258 ACCESS CONTROLS
Draw a graph showing the transfer of rights. Suppose that at time t - 50, A
revokes all rights granted to D. Show the resulting state of Sysauth.
4.2 Write an algorithm for implementing the revocation procedure of System R.
4.3 Specify a policy for confinement (see Section 4.2.2), and design a capability-
based mechanism for enforcing the policy.
4.4 Complete the specifications of the module shown in Figure 4.31 by writing
an OV-function for pop.
4.5 Consider the representation of a Turing machine as a protection system as
described in Section 4.7.2. Complete the proof of Theorem 4.2 by showing
how the move c3(q, X) = (p, Y, R) can be represented with two commands.
Given the access matrix shown in Figure 4.32, show the matrix that results
after the following two moves:
6(q, C) = (p, D, R)
6(p, D) = (s, E, R) .
4.6 Complete the proof of Theorem 4.9 by giving the command sequence for
Case 4.
4.7 Give a sequence of commands showing how the right r for x can be trans-
--...---~ ------~ ~--------4:_--
ferred over the bridge t t g t connectingp and s in the following graph:
t t g t r
~,~ ~-.~ ~ v ~--
p u v w s x
I
a.
gt
V W
g X
ti Y
REFERENCES
Aho74. Aho, A., Hopcroft, J., and Ullman, J., The Design and Analysis of Computer
Algorithms, Addison-Wesley, Reading, Mass. (1974).
Ande72. Anderson, J. P., "Computer Security Technology Planning Study," ESD-TR-73-
51, Vols. I and II, USAF Electronic Systems Div., Bedford, Mass. (Oct. 1972).
Bara64. Baran, P., "On Distributed Communications: IX. Security, Secrecy, and Tamper-
Free Considerations," RM-3765-PR, The Rand Corp., Santa Monica, Calif. (1964).
Bens72. Bensoussan, A., Clingen, C. T., and Daley, R. C., "The MULTICS Virtual Mem-
ory: Concepts and Design," Comm. ACM Vol. 15(5) pp. 308-318 (May 1972).
Bers79. Berson, T. A. and Barksdale, G. L., "KSOSmDevelopment Methodology for a
Secure Operating System," pp. 365-371 in Proc. NCC, Vol. 48, AFIPS Press, Mont-
vale, N.J. (1979).
Bish79. Bishop, M. and Snyder, L., "The Transfer of Information and Authority in a
Protection System," Proc. 7th Symp. on Oper. Syst. Princ., A C M Oper. Syst. Rev.,
pp. 45-54 (Dec. 1979).
Boye79. Boyer, R. and Moore, J. S., A Computational Logic, Academic Press, New York
(1979).
Boye80. Boyer, R. and Moore, J. S., "A Verification Condition Generator for Fortran,"
Computer Science Lab. Report CSL-103, SRI International, Menlo Park, Calif.
(June 1980).
Broa76. Broadbridge, R. and Mekota, J., "Secure Communications Processor Specifica-
tion," ESD-TR-76-351, AD-A055164, Honeywell Information Systems, McLean,
Va. (June 1976).
Buck80. Buckingham, B. R, S., "CL/SWARD Command Language," SRI-CSL-79-013c,
IBM Systems Research Institute, New York (Sept. 1980).
Carl75. Carlstedt, J., Bisbey, R. II, and Popek, G., "Pattern-Directed Protection Evalua-
tion," NTIS AD-A012-474, Information Sciences Inst., Univ. of Southern Calif.,
Marina del Rey, Calif. (June 1975).
Cash76. Cash, J., Haseman, W. D., and Whinston, A. B., "Security for the GPLAN
System," Info. Systems Vol. 2 pp. 41-48 (1976).
Cheh81. Cheheyl, M. H., Gasser, M., Huff, G. A., and Millen, J. K. "Verifying Security,"
ACM Computing Surveys Vol. 13(3) pp. 279-339 (Sept. 1981).
Codd70. Codd, E. E, "A Relational Model for Large Shared Data Banks," Comm. A C M
Vol. 13(6) pp. 377-387 (1970).
Codd79. Codd, E. E, "Extending the Database Relational Model to Capture More Mean-
ing," ACM Trans. on Database Syst. Vol. 4(4) pp. 397-434 (Dec. 1979).
Cohe75. Cohen, E. and Jefferson, D., "Protection in the HYDRA Operating System,"
Proc. 5th Symp. on Oper. Syst. Print., ACM Oper. Syst. Rev. Vol. 9(5) pp. 141-160
(Nov. 1975).
Conw72. Conway, R. W., Maxwell, W. L., and Morgan, H. L., "On the Implementation of
Security Measures in Information Systems," Comm. ACM Vol. 15(4) pp. 211-220
(Apr. 1972).
Dah172. Dahl, O. J. and Hoare, C. A. R., "Hierarchical Program Structures," in Struc-
tured Programming, ed. Dahl, Dijkstra, Hoare, Academic Press, New York (1972).
Dale65. Daley, R. C. and Neumann, E G., "A General-Purpose File System for Secondary
Storage," pp. 213-229 in Proc. Fall Jt. Computer Conf., Vol. 27, AFIPS Press,
Montvale, N.J. (1965).
Denn78. Denning, D. E., Denning, P. J., Garland, S. J., Harrison, M. A., and Ruzzo, W. L.,
7 . . . . T . . . . . . . .
260 ACCESS CONTROLS
Harr76. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D., "Protection in Operating
Systems," Comm. ACM Vol. 19(8) pp. 461-471 (Aug. 1976).
Harr78. Harrison, M. A. and Ruzzo, W. L., "Monotonic Protection Systems," pp. 337-365
in Foundations of Secure Computation, ed. R. A. DeMillo et at., Academic Press,
New York (1978).
Hart76. Hartson, H. R. and Hsiao, D. K., "Full Protection Specifications in the Semantic
Model for Database Protection Languages," Proc. 1976 ACM Annual Conf., pp. 90-
95 (Oct. 1976).
Hebb80. Hebbard, B. et al., "A Penetration Analysis of the Michigan Terminal System,"
ACM Oper. Syst. Rev. Vol. 14(1) pp. 7-20 (Jan. 1980).
Hoff71. Hoffman, L. J., "The Formulary Model for Flexible Privacy and Access Control,"
pp. 587-601 in Proc. Fall Jt. Computer Conf., Vol. 39, AFIPS Press, Montvale, N.J.
(1971).
IBM68. IBM, "IBM System/360 Principles of Operation," IBM Report No. GA22-6821
(Sept. 1968).
I1if62. lliffe, J. K. and Jodeit, J. G., "A Dynamic Storage Allocation System," Computer J.
Vol. 5 pp. 200-209 (1962).
Ilif72. Iliffe, J. K., Basic Machine Principles, Elsevier/MacDonald, New York (lst ed.
1968, 2nd ed. 1972).
Jone76a. Jones, A. K. and Liskov, B. H., "A Language Extension Mechanism for Control-
ling Access to Shared Data," Proc. 2nd Int. Conf. Software Eng., pp. 62-68 (1976).
Jone76b. Jones, A. K., Lipton, R. J., and Snyder, L., "A Linear Time Algorithm for
Deciding Security," Proc. 17th Annual Syrup. on Found. of Comp. Sci. (1976).
Jone78. Jones, A. K., "Protection Mechanism Models: Their Usefulness," pp. 237-254 in
Foundations of Secure Computation, ed. R. A. DeMillo et al., Academic Press, New
York (1978).
Jone79. Jones, A. K., Chansler, R. J., Durham, I., Schwans, K., and Vegdahl, S. R.,
"StarOS, a Multiprocessor Operating System for the Support of Task Forces," Proc.
7th Symp. on Oper. Syst. Princ., ACM Oper. Sys. Rev., pp. 117-121 (Dec. 1979).
Kahn81. Kahn, K. C., Corwin, W. M., Dennis, T. D., D'Hooge, H., Hubka, D. E., Hutch-
ins, L. A., Montague, J. T., Pollack, E J., Gifkins, M. R., "iMAX: A Multiprocessor
Operating System for an Object-Based Computer," Proc. 8th Syrup. on Oper. Syst.
Princ., ACM Oper. Syst. Rev., Vol. 15(5), pp. 127-136 (Dec. 1981).
Krei80. Kreissig, G., "A Model to Describe Protection Problems," pp. 9-17 in Proc. 1980
Syrup. on Security and Privacy, IEEE Computer Society (Apr. 1980).
Lamp69. Lampson, B. W., "Dynamic Protection Structures," pp. 27-38 in Proc. Fall Jt.
Computer Conf., Vol. 35, AFIPS Press, Montvale, N.J. (1969).
Lamp71. Lampson, B. W., "Protection," Proc. 5th Princeton Syrup. of Info. Sci. and Syst.,
pp. 437-443 Princeton Univ., (Mar. 1971). Reprinted in ACM Oper. Syst. Rev., Vol.
8(1) pp. 18-24 (Jan. 1974).
Lamp73. Lampson, B. W., "A Note on the Confinement Problem," Comm. ACM Vol.
16(10) pp. 613-615 (Oct. 1973).
Lamp76a. Lampson, B. W., Horning, J. J., London, R. L., Mitchell, J. G., and Popek, G. J.,
"Report on the Programming Language Euclid" (Aug. 1976).
Lamp76b. Lampson, B. W. and Sturgis, H. E., "Reflections on an Operating System De-
sign," Comm. ACM Vol. 19(5) pp. 251-265 (May 1976).
Levi81. Levitt, K. N. and Neumann, P. G., "Recent SRI Work in Verification," ACM
SIGSOFT Software Engineering Notes Vol. 6(3) pp. 33-47. (July 1981).
Lind75. Linde, R. R., "Operating System Penetration," pp. 361-368 in Proc. NCC, Vol. 44,
262 ACCESS CONTROLS
Ritc74. Ritchie, D. M. and Thompson, K., "The UNIX Time-Sharing System," Comm.
A C M Vol. 17(7) pp. 365-375 (July 1974).
Robi77. Robinson, L. and Levitt, K. N., "Proof Techniques for Hierarchically Structured
Programs," Comm. A C M Vol. 20(4) pp. 271-283 (Apr. 1977).
Robi79. Robinson, L.,"The HDM Handbook, Volume I: The Foundations of HDM," SRI
Project 4828, SRI International, Menlo Park, Calif. (June 1979).
Roge67. Rogers, H., Theory o f Recursive Functions and Effective Computability,
McGraw-Hill, New York (1967). Section 11.2
Rush81. Rushby, J. M., "Design and Verification of Secure Systems," Proc. 8th Symp. on
Oper. Syst. Princ., A C M Oper. Syst. Rev., Vol. 15(5), pp. 12-21 (Dec. 1981).
Salt75. Saltzer, J. H. and Schroeder, M. D., "The Protection of Information in Computer
Systems," Proc. IEEE Vol. 63(9) pp. 1278-1308 (Sept. 1975).
Schi75. Schiller, W. L., "The Design and Specification of a Security Kernel for the PDP
11/45," ESD-TR-75-69, The MITRE Corp., Bedford, Mass. (Mar. 1975).
Schr72. Schroeder, M. D. and Saltzer, J. H., "A Hardware Architecture for Implementing
Protection Rings," Comm. A C M Vol. 15(3) pp. 157-170 (Mar. 1972).
Schr77. Schroeder, M. D., Clark, D. D., and Saltzer, J. H., "The MULTICS Kernel Design
Project," Proc. 6th Symp. on Oper. Syst. Princ., A C M Oper. Syst. Rev. Vol. 11(5)
pp. 43--56 (Nov. 1977).
Sevc74. Sevcik, K. C. and Tsichritzis, D. C., "Authorization and Access Control Within
Overall System Design," pp. 211-224 in Proc. Int. Workshop on Protection in Oper-
ating Systems, IRIA, Rocquencourt, Le Chesnay, France (1974).
Silv79. Silverberg, B., Robinson, L., and Levitt, K., "The HDM Handbook, Volume II: The
Languages and Tools of HDM," SRI Project 4828, SRI International, Menlo Park,
Calif. (June 1979).
Snyd77. Snyder, L., "On the Synthesis and Analysis of Protection Systems," Proc. 6th
Symp. on Oper. Syst. Princ., A C M Oper. Syst. Rev. Vol. 11(5) pp. 141-150 (Nov.
1977).
Snyd81a. Snyder, L., "Formal Models of Capability-Based Protection Systems," I E E E
Trans. on Computers Vol. C-30(3) pp. 172-181 (Mar. 1981).
Snyd81b. Snyder, L., "Theft and Conspiracy in the Take-Grant Model," J C S S Vol. 23(3),
pp. 333-347 (Dec. 1981).
Ston74. Stonebraker, M. and Wong, E., "Access Control in a Relational Data Base Man-
agement System by Query Modification," Proc. 1974 A C M Annual Conf., pp. 180-
186 (Nov. 1974).
WalkS0. Walker, B. J., Kemmerer, R. A., and Popek, G. J., "Specification and Verification
of the UCLA Unix Security Kernel," Comm. A C M Vol. 23(2) pp. 118-131 (Feb.
1980).
Walt75. Walter, K. G. et al., "Structured Specification of a Security Kernel," Proc. Int.
Conf. Reliable Software, A C M S I G P L A N Notices Vol. 10(6) pp. 285-293 (June
1975).
Wulf74. Wulf, W. A., Cohen, E., Corwin, W., Jones, A., Levin, R., Pierson, C., and
Pollack, E, "HYDRA: The Kernel of a Multiprocessor System," Comm. A C M Vol.
17(6) pp. 337-345 (June 1974).
Wulf76. Wulf, W. A., London, R. L., and Shaw, M., "An Introduction tothe Construction
and Verification of Alphard Programs," IEEE Trans. on Software Eng. Vol. SE-2(4)
pp. 253-265 (Dec. 1976).
Information Flow Controls
Access controls regulate the accessing of objects, but not what subjects might do
with the information contained in them. Many difficulties with information "leak-
age" arise not from defective access control, but from the lack of any policy about
information flow. Flow controls are concerned with the right of dissemination of
information, irrespective of what object holds the information; they specify valid
channels along which information may flow.
We shall describe flow controls using the lattice model introduced by Denning
[Denn75,Denn76a]. The lattice model is an extension of the Bell and LaPadula
[Bell73] model, which describes the security policies of military systems (see Sec-
tion 5.6).
The lattice model was introduced to describe policies and channels of infor-
mation flow, but not what it means for information to flow from one object to
another. We shall extend the model to give a precise definition of information flow
in terms of classical information theory.
An information ttow system is modeled by a lattice-structured flow policy,
states, and state transitions.
SC. The security classes correspond to disjoint classes of information; they are
intended to encompass, but are not limited to, the familiar concepts of "security
classifications" and "security categories" [Weis69,Gain72].
For security classes A and B, the relation A ~ B means class A information
is lower than or equal to class B information. Information is permitted to flow
within a class or upward, but not downward or to unrelated classes; thus, class A
information is permitted to flow into class B if and only if A _< B. There is a lowest
class, denoted Low, such that Low _< A for all classes A in SC. Low security
information is permitted to flow anywhere. Similarly, there is a highest class,
denoted High, such that A _< High for all A. High security information cannot
leave the class High. The lattice properties of (SC, _<) are discussed in Sections
5.1.4 and 5.1.5.
Example:
The simplest flow policy specifies just two classes of information: confiden-
tial (High) and nonconfidential (Low); thus, all flows except those from
confidential to nonconfidential objects are allowed. This policy specifies the
requirements for a selectively confined service program that handles both
confidential and nonconfidential data [Denn74,Fent74]. The service pro-
gram is allowed to retain the customer's nonconfidential data, but it is not
allowed rtO retain or leak any confidential data. An income tax computing
service, for example, might be allowed to retain a customer's address and the
bill for services rendered, but not the customer's income or deductions. This
policy is enforced with flow controls that assign all outputs of the service
program to class Low, except for the results returned to the customer. 1
Example:
The multilevel security policy for government and military systems represents
each security class by a pair (A, C), where A denotes an authority level and
C a category. There are four authority levels"
OmUnclassified
1--Confidential
2--Secret
3--Top Secret .
There are 2 m categories, comprising all possible combinations of m compart-
ments for some m; examples of compartments might be Atomic and Nuclear.
Given classes (A, C) and (A', C'), (A, C) _< (A', C') if and only if A ~ A'
and C _C C'. Transmissions from (2, (Atomic)) to (2, (Atomic, Nuclear)) or
to (3, (Atomic)) are permitted, for example, but those from (2, (Atomic)) to
(1, (Atomic)) or to (3, (Nuclear)) are not. 1
The information state of a system is described by the value and security class of
each object in the system. An object may be a logical structure such as a file,
LATTICE MODEL OF INFORMATION FLOW 267
State transitions are modeled by operations that create and delete objects, and
operations that change the value or security class of an object. Information flows
are always associated with operations that change the value of an object. For
example, execution of the file copy operation "copy(F1, F2)" causes information
to flow from file F1 to file F2. Execution of the assignment statement "y "= x /
1000" causes some information to flow from x to y, but less than the assignment
~ y o ~ X~°
Letting P,(x) denote the probability distribution of x in state s, the channel capaci-
ty of x ---+, y is defined by the maximum amount of information transferred over
all possible probability distributions of x:
C(c~, x, y) = max l(a, x, y, s, s')
P~(x)
Note that if y can be represented with n bits, the channel capacity of any com-
mand sequence transferring information to y can be at most n bits. This means
that if the value of y is derived from m inputs x~. . . . . Xm, On the average only m / n
bits can be transferred from each input.
The following examples illustrate how the previous definitions are applied. _
Example:
Consider the assignment
y:=x.
Suppose x is an integer variable in the range [0, 15], with all values equally
likely. Letting pg denote the probability that x = i, we have
0 otherwise .
If y is initially null, then
Hy(x) = H ( x ) = ~ P i l°gz(~/) = 1 6 ( 1 ~ ) l o g z 1 6 = 4 .
i
Because the exact value of x can be determined from y after the statement is
executed, Hy,(X) = 0. Thus, 4 bits of information are transferred to y.
The capacity of an assignment "y := x" is usually much greater than 4
bits. If x and y are represented as 32-bit words, for example, the capacity is
32 bits. Or, if x and y are vectors of length n, where each vector element is a
32-bit word, the capacity is 32n. In both cases, the capacity is achieved when
all possible words are equally likely.
Note that the statement "y := x" does not cause a flow x --~ y if the
value of x is known. This is because Hy,(X) = Hy(X) = H ( x ) = O. II
LATTICE MODEL OF INFORMATION FLOW 269
Example:
Consider the sequence of statements
Z "= X;
y'=z.
Execution of this sequence can cause an "indirect flow" x ~ y through the
intermediate variable z, as well as a direct flow x ~ z. Note, however, that
the sequence does not cause a flow z --~ y, because the final value of y does
not reveal any information about the initial value of z. !1
Example:
Consider the statement
z'=x+y.
Let x and y be in the range [0, 15] with all values equally likely; thus H(x)
= H(y) = 4 bits. Given z, the values of x and y are no longer equally likely
(e.g., z = 0 implies both x and y must be 0, z = 1 implies either x = 0 and y
= 1 or x = 1 and y = 0). Thus, both Hz,(X ) and Hz,(y ) are less than 4 bits,
and execution of the statement reduces the uncertainty about both x and y.
Now, little can be deduced about the values of x and y from their sum
when both values are unknown. Yet if one of the elements is known, the
other element can be determined exactly. In general, the sum z = xl + . . .
+ x, of n elements contains some information about the individual elements.
Given additional information about some of the elements, it is often possible
to deduce the unknown elements (e.g., given the sum z l of n - 1 elements,
the nth element can be determined exactly from the difference z - z 1). The
problem of hiding confidential information in sums (and other statistics) is
studied in the next chapter. II
Example:
It may seem surprising that the syntactically similar statement
z:= x~ y,
where x and y are as described in the previous example and " ~ " denotes the
exclusive-or operator, does not cause information to flow to z. This is because
the value of z does not reduce the uncertainty about either x or y (all values
of x and y are equally likely for any given z). This is a Vernam cipher, where
x is the plaintext, y is the key, and z is the ciphertext. This example shows it
is not enough for an object y to be functionally dependent on an object x for
there to be a flow x ~ y. It must be possible to learn something new about x
from y.
We saw in Chapter 1 that most ciphers are theoretically breakable
given enough ciphertext; thus, encryption generally causes information to
flow from a plaintext message M to a eiphertext message C = EK(M ). Deter-
mining M from C may be computationally infeasible, however, whence the
information in C is not practically useful. Thus, in practice high security
270 INFORMATION FLOW CONTROLS
Example:
Consider the if statement
if x = 1 theny'= 1,
where y is initially 0. Suppose x is 0 or 1, with both values equally likely;
thus H(x) = 1. After this statement is executed, y contains the exact value of
x, giving Hy,(X) = 0. Thus, 1 bit of information is transferred from x to y.
Even if x is not restricted to the range [0, 1], the value of y reduces the
uncertainty about x (y = 1 implies x = 1 and y = 0 implies x ~ 1).
The flow x ~ y caused by executing the if statement is called an
implicit flow to distinguish it from an explicit flow caused by an assignment.
The interesting aspect of an implicit flow x ~ y is that it can occur even in
the absence of any explicit assignment to y. For the preceding if statement,
the flow occurs even when x ~ 1 and the assignment to y is skipped. There
must be a possibility of executing an assignment to y, however, and this
assignment must be conditioned on the value of x; otherwise, the value of y
cannot reduce the uncertainty about x.
The information in an implicit flow is encoded in the program counter
(instruction register) of a process when it executes a conditional branch
instruction. This information remains in the program counter as long as the
execution path of the program depends on the outcome of the test, but is lost
thereafter. I
Example:
Consider the statement
if(x= 1) a n d ( y = 1) t h e n z : = 1 ,
Example:
Consider the if statement
if x_> 8 t h e n y ' = 1 ,
where y is initially 0. Again suppose x is an integer variable in the range [0,
15], with all values equally likely, so H(x) = 4. To derive the equivocation
Hy,(x) from executing this statement, let qj be the probability y' = j (j = 0 or
1), and let qj(i) be the probability x = i given y' = j. Then
1
q0 = ql = ~
I
q0(i)= ~- 0 ~ i ~ 7
q~(i)=
{1
0
g
otherwise
8_<i.~ 15
0 otherwise
and
1 15
Hy,(X) = ~ qj ~ qj(i)1og2(qj~)
j=0 i=0
~ 0_<i_<7
pi = ~1i = 8
0 otherwise .
H ( x ) = 8 ( ~ 6 ) l o g 2 16 + (½)log2 2 = 2.0 + 0 . 5 = 2 . 5 .
1
q0(i)=
I
~
0
1
0_<i_<7
otherwise
i=8
ql(i)= 0 otherwise .
Therefore,
for some function f transfers 1 bit when the probability f(x) is true is 1/2. Let Pi be
the probability x = i for all possible values i of x. Assuming y is initially 0 and
Hy(x) = H(x), we have
1
qo = ql =
i i
= ~ Pi log2 ( ~ ) - ~ pilog2 2
i i
= H(x) -- 1 .
If the probability fix) is true is not 1/2, less than 1 bit of information will be
transferred (see exercises at end of chapter).
LATTICE MODEL OF INFORMATION FLOW 273
It should now come as no surprise that the channel capacity of the statement
if f ( x ) then y "= 1
A flow policy (SC, _<) is a lattice if it is a partially ordered set (poset) and there
exist least upper and greatest lower bound operators, denoted ~ and ® respective-
lye, on S C (e.g., see [Birk67]). That (SC, _<) is a poset implies the relation _< is
reflexive, transitive, and antisymmetric; that is, for all A, B, and C in SC:
1. Reflexive: A _< A
2. Transitive: A .~ B and B ~ C implies A.~C
3. Antisymmetric" A ~ B and B ~ A implies A=B.
That ~ is a least upper bound operator on S C implies for each pair of classes A and
B in SC, there exists a unique class C = A ~ B in S C such that:
1. A ~ CandB ~ C,and
2. A ~DandB~D implies C~D for all D in S C .
Example:
Figure 5.1 illustrates a lattice with 11 classes, where an arrow from a class X
to a class Y means X ~ Y. The graphical representation is a standard prece-
dence graph showing only the nonreflexive, immediate relations. We have,
for example,
!"In the remainder of this chapter, " ~ " denotes least upper bound rather than exclusive-or.
274 INFORMATION FLOW CONTROLS
G
It",,. I
Low
A@C=C,A®C=A
C @ D = G, C O D = A
C @ D @ E = H i g h , C ® D ® E = Low. II
a. i • j = max(i, j)
b. i ® j = min(i, j )
c. L o w = O; H i g h = n - 1.
tx, Y, z}
0
LATTICE MODEL OF INFORMATION FLOW 275
For n = 2, this lattice describes systems that distinguish confidential data in class
1 (High) from nonconfidential data in class 0 (Low). For n = 4, it describes the
authority levels in military systems.
Given a set X, a subset lattice is derived from a nonlinear ordering on the set
of all subsets of X. The ordering relation .~ corresponds to set inclusion C, the
least upper bound • to set union tj , and the greatest lower bound ® to set
intersection N. The lowest class corresponds to the empty set and the highest class
to X. Figure 5.2 illustrates for X = (x, y, z).
A subset lattice is particularly useful for specifying arbitrary input-output
relations. Suppose a program has m input parameters x~, . . . . x m and n output
parameters y~, . . . , y, such that each output parameter is allowed to depend on
only certain inputs [Jone75]. A subset lattice can be constructed from the subsets
of X = ( x x , . . . , xm). The class associated with each input x i is the singleton set xj
= (xt), and the class associated with each output yj is the set .Zj = ( x i l x i ----~Yj is
allowed).
Example:
Suppose a program has three input parameters xl, x2, and xs, and two output
parameters Yl and Y2 subject to the constraint that yl may depend only on xl
and x2, and Y2 may depend only on xl and xs. Then y_~ = {xl, x2} and Y_2= {xx,
x~). m
Example:
Consider a database containing medical, financial, and criminal records on
individuals, and let X = ( M e d i c a l Financial Criminal). Medical informa-
tion is permitted to flow into an object b if and only if M e d i c a l ~ b, and a
combination of medical and financial information is permitted to flow into b
if and only if both M e d i c a l E b and Financial E b. 1
Example: M u l t i l e v e l security.
The security classes of the military multilevel security policy (see Section
5.1.1) form a lattice determined by the (Cartesian) product of the linear
lattice of authority levels and the subset lattice of categories. Let (A, C) and
(A', C') be security classes, where A and A' arc authority levels and C and
C' arc categories. Then
276 INFORMATION FLOW CONTROLS
X ~ Z 0 ~ Z 1 ~ . . . ~ Zn_ 1 ~ Z n "~ y
is permitted if each flow Zg_x ---~ zi (1 _< i _< n) is permitted, because
Example:
The security of the indirect flow x ----~y caused by executing the sequence of
statements
z "--'-- X ;
y'=z
LATTICE MODEL OF INFORMATION FLOW 277
High
/
1c! o! 1c,,ABIAI DE
x,/ L ow
automatically follows from the security of the individual statements; that is,
_x_<zand_z_<y_implies_x_<y. il
Example:
Consider the sequence
z "= O;
if x = 1 thenz'= 1;
y'=z,
The existence of a least upper bound operator ~ implies that if x_l .~ y_, . . . ,
_x, _< y for objects xl . . . . , x, and y, then there is a unique class _x = _xl • . . .
278 ABFDEFGHIIJKLMMNOHPP
Example:
To verify the security of an assignment statement:
y : = Xl "b X2 * Xs,
Example:
To verify the security of an if statement
if x then
begin
Yl := O;
Y2 := O;
Ys := 0
end,
a compiler can form the class y_ = Y_i ® Y_2 ® Y_8 as the statements are
parsed, and then verify the implicit flows x ---~ Yi (i = 1, 2, 3) by checking
that_x_<y_. II
Let F be the set of all possible flows in an information flow system, let P be the
subset of F authorized by a given flow policy, and let E be the subset of F "execut-
able" given the flow control mechanisms in operation. The system is secure if
E C P; that is, all executable flows are authorized. A secure system is precise if
E -- P; that is, all authorized flows are executable. Figure 5.4 illustrates.
Note the similarity of Figure 5.4 with Figure 4.4, where a secure system is
defined to be one that never enters an unauthorized state. We can also define a
secure information flow system in terms of authorized states. Let so be an initial
state; so is authorized, because flows are associated with state transitions. Let s be
a state derived from So by executing a command sequence a; then s is authorized if
and only if all flows x~0 --~ y~ are authorized (i.e., x~0 _< ~ ) . By transitivity of the
relation _<, the state of the system remains authorized if the flows caused by each
state transition are authorized. Defining secure information flow in terms of au-
thorized states allows us to use a single definition of security for a system that
supports both an access control policy and an information flow policy, as do most
systems.
Although it is simple to construct a mechanism that provides security (by
Unauthorized flows
All flows
Authorized flows
(given policy)
Executable flows
(given mechanism)
Secure" E c p
Precise" E = P
280 INFORMATION FLOW CONTROLS
Example:
Consider the assignment
y'=k,x ,
and a policy in which k _< y_ but _x _K__Y; that is, information may flow from k
to y but not from x to y. A mechanism that always prohibits execution of this
statement will provide security. It may not be precise, however, because
execution of the statement does not cause a flow x ~ y if either k = 0 or
H(x) = 0 (i.e., there is no uncertainty about x). To design a mechanism that
verifies the relation _x .~ y_ only for actual flows x ~ y is considerably more
difficult than designing one that verifies the relation x _< y_ for any operation
that can potentially cause a flow x ---~ y. II
Example:
Consider the statement
if f (n) halts then y "= x else y "= 0 ,
where f is an arbitrary function and x ~ y_. Consider two systems: one that
always allows execution of this statement, and another that always prohibits
its execution. Clearly, it is undecidable whether the first system is secure or
the second precise without solving the halting problem. To make matters
worse, it is theoretically impossible to construct a mechanism that is both
secure and precise [Jone75]. II
In a secure system, the security class y_ of any object y will be at least as high
as the class of the information stored in y. This does not imply, however, that a
variable class y_ must monotonically increase over time. If information is removed
from y, then y may decrease.
Example:
Consider the following sequence of statements:
y "= x;
z : = y;
y'=0 .
After the first statement is executed, y_ must satisfy _x _< y_ to reflect the flow
x ~ y. After the last statement is executed, however, y_ can be lower than x_,
because y no longer contains information about x. Thus, the security class of
an object can be increased or decreased at any time as long it does not violate
security. II
FLOW CONTROL MECHANISMS 281
In some systems, trusted processes are permitted to violate the flow require-
ments--for example, to lower the security class of an object. These processes,
however, must meet the security policies of the system as a whole (see Section
5.6.3 for an example).
Lampson [Lamp73] observed that information flows along three types of channels:
Legitimate channels are the simplest to secure. Securing storage channels is con-
siderably more difficult, because every object--file, variable, and status bit--must
be protected.
Example:
To illustrate the subtlety of this point, consider the following scheme by
which a process p can transfer a value x to a process q through the lock bit of
a shared file .fi p arranges regular intervals of use and nonuse of the file
according to the binary representation of x; q requests use of the file each
interval, and determines the corresponding bit of x according to whether the
request is granted. II
Security can be enforced either at execution time by validating flows as they are
about to occur (prohibiting unauthorized ones), or at compile time by verifying the
flows caused by a program before the program executes. This section studies the
first approach; Sections 5.4-5.6 study the second approach. Before describing spe-
cific execution-based mechanisms, we discuss the general problem of dynamically
enforcing security for implicit flows.
Initially we assume objects have fixed security classes. We then consider the prob-
lems introduced by variable classes.
Dynamically enforcing security for explicit flows is straightforward, because
an explicit flow always occurs as the result of executing an assignment of the form
y "= f ( x l , .... X n) •
if x= 1 theny'= 1 .
This seems to suggest that verifying implicit flows to an object only at the time of
an explicit assignment to the object is insecure. For example, verifying the relation
x _< y_only when the assignment "y '= 1" is performed in the preceding statement
would be insecure.
The interesting result, proved by Fenton [Fent74], is that security can be
enforced by verifying flows to an object only at the time of explicit assignments to
the object. But there is one catch: attempted security violations cannot generally
be reported. This means if an unauthorized implicit flow is detected at the time of
an assignment, not only must that assignment be skipped, but the error must not
be reported to the user, and the program must keep running as though nothing has
happened. The program cannot abort or even generate an error message to the
user unless the user's clearance is at least that of the information causing the flow
violation. It would otherwise be possible to use the error message or abnormal
termination to leak high security data to a user with a low security clearance.
Moreover, the program must terminate in a low security state; that is, any infor-
mation encoded in the program counter from tests must belong to the class Low.
Details are given in Sections 5.3.3 and 5.3.4.
EXECUTION-BASED MECHANISMS 283
Example:
Secure execution of the if statement
if x = 1 then y "= 1
is described by
if x = 1
then if x ~< y_ then y := 1 else skip
else skip .
y "F-f(X, . . . . . Xm)
is directly conditioned on variables Xm+l, . . . , Xn. Then the explicit and implicit
flow to y can be validated by checking that the relation
holds, skipping the assignment if it does not. This is secure, because the value of y
is not changed when the security check fails; it is as though the program never
even made the test that would have led to the assignment and, therefore, the
implicit flow.
Fenton's result is significant for two reasons. First, it is much simpler to
construct a run-time enforcement mechanism if all implicit and explicit flows can
be validated only at the time of actual assignments. Second, such a mechanism is
likely to be more precise than one that checks implicit flows that occur in the
absence of explicit assignments.
Example:
Consider the statement
if x = 1 theny'= 1 elsez'= 1
where x = High. Suppose that when x = 1, y = High and z = Low, but when
m m
Now, an error flag can be securely logged in a record having a security class
284 INFORMATION FLOW CONTROLS
at the time of the assignment might seem sufficient for security. Although it is
secure for the explicit flows, it is not secure for the implicit flows, because the
execution path of the program will be different for different values of Xm+ ~, . . . ,
x,. This is illustrated by the following example.
Example:
Consider the execution of the procedure c o p y 1 shown in Figure 5.5. Suppose
the local variable z has a variable class (initially L o w ) , z is changed when-
ever z is assigned a value, and flows into y are verified whenever y is assigned
a value. Now, if the procedure is executed with x = 0, the test " x = 0"
succeeds and (z, _z) becomes (1, x); hence the test "z = 0" fails, and y
remains 0. If it is executed with x = 1, the test "x = 0" fails, so (z, z)
remains (0, L o w ) ; hence the test "z = 0" succeeds, y is assigned the value 1,
EXECUTION-BASED MECHANISMS 285
and the relation Low ~< y_ is verified. In either case, execution terminates
with y = x, but without verifying the relation _x ~ y_. The system, therefore,
is insecure when _x ~ y_. m
and the relation _z ~ y_ would be verified regardless of whether the test "z = 0"
succeeds. The disadvantage of this approach is that a compiler must analyze the
flows of a program to determine what objects could receive an implicit flow, and
insert additional instructions into the compiled code to increase a class if
necessary.
Fenton [Fent73] and Gat and Saal [Gat75] proposed a different solution.
Their solution involves restoring the class and value of any object whose class was
increased during execution of a conditional structure to the class and value it had
just before entering the structure. Hence, the objects whose class and value are
restored behave as "local objects" within the conditional structure. This ensures
the security of all implicit flows by nullifying those that caused a class increase.
The disadvantage of this approach is the added complexity to the run-time en-
forcement mechanism.
Lampson suggested another approach that is much simpler to implement
than either of the preceding. The class of an object would be changed only to
reflect explicit flows into the object; implicit flows would be verified at the time of
explicit ones, as for fixed classes. For example, execution of the statement "if
x = 1 then y "= z" would set y_ to z_, and then verify the relation _x .~ y_.
Simple flow controls can be integrated into the access control mechanisms of
operating systems. Each process p is assigned a security clearance p_ specifying the
highest class p may read from and the lowest class p may write into. Security is
286 INFORMATION FLOW CONTROLS
input classes
I
X
_x1 _x2 --m
X 1 ~ X2 ~ c o o s Xm
process class
-Yl ® Y2 ® e e e ® Y - - n
Yl Y2 eoe --Yn
k , J
output classes
enforced by access controls that permit p to acquire read access to an object x only
if x_ _< £, and write access to an object y only if/~ _< y_. Hence, p can read from xl,
. . . , x m and write into Yl, . . . . Yn only if
integrity constraints may prevent it from writing into Top Secret objects). All the
kernel-based systems discussed in Section 4.6.1 use access controls to enforce
multilevel security for user and untrusted system processes.
One of the first systems to use access controls to enforce multilevel security
was the ADEPT-50 time-sharing system developed at SDC in the late 1960s
[Weis69]. In ADEPT, the security clearance/~ of a process p, called its "high
water mark", is dynamically determined by the least upper bound of the classes of
all files opened for read or write operations; thus p_ is monotonically nondecreasing.
When the process closes a newly created file f, the class f_ is set to p_. Rotenberg's
[Rote74] Privacy Restriction Processor is similar, except that £ is determined by
the ~ of the classes opened for read, and whenever the process writes into a file f,
the file's class is changed to f '= f ~ p_.
This approach of dynamically assigning processes and objects to variable
security classes can lead to leaks, as illustrated by the following example.
Example:
Suppose the procedure copyl (see Figure 5.5) is split between processes pl
and p2, where pl and p2 communicate through a global variable z dynami-
cally bound to its security class:
pl'ifx=Othenz'= 1
p2:ifz=Otheny'= i .
Now suppose p_J. and ~ are set to the ~ of the classes of all objects opened
for read or write operations, y and z are initially 0 and in class Low, z is
changed only when z is opened for writing, and flows to y are verified only
when y is opened for writing. When x = 0, pl terminates with z = 1 and z
= p l = _x; thus, ~ is set to _x. But the test "z = 0" in p2 fails, so y is never
opened for writing, and the relation ~ _< y is never verified. When x = 1, pl
terminates with p l = _x; however, because z is never opened for writing, (z, _z)
remains (0, Low); thus, ~ = Low, y becomes 1, and the relation Low _< y_is
verified. In both cases, p2 terminates with y = x, even though the relation x
y_ is never verified. Thus, a leak occurs if x ~ y.
This problem does not arise when objects and processes have fixed
security classes. To see why, suppose pl runs in the minimal class needed to
read x; i.e., pJ_ = _x. Then pl will never be allowed to write into z unless x
.~ z. Similarly, p2 will not be allowed to read z unless _z ~ p2, and it will
never be allowed to write into y unless ~ .~ y_. Hence, no information can
flow from x to y unless x .~ z _< y_. 1
the current value and class of pc is pushed onto a stack, and (pc, pc) is replaced
with (n, .p_£ ~ _x). The class .p_( is increased by x_ because information about x is
encoded in the execution path of the program. The only way p_£ can be decreased is
by executing a return instruction, which restores (pc, p__() to its earlier value. This
forces the program to return to the instruction following the conditional branch,
whence the execution path is no longer directly conditioned on the value of x.
Initially p__(.= Low, so that immediately before executing an instruction on a
path directly conditioned on the values of xl, . . . , Xm, p__£= xl ~ . . . • _xm. If the
EXECUTION-BASED MECHANISMS 289
Instruction Execution
Example:
Figure 5.7 shows how the c o p y l p r o g r a m of Figure 5.5 can be translated into
instructions for the D M M . For simplicity, we assume y and z are initially 0.
N o t e that the translated p r o g r a m modifies the value of x; this does not affect
its flow from x to y.
T h e following execution trace shows the effect of executing each in-
struction when x = 0 and x _< z:
initial 0 0 0 Low
1 x
4 1 x~z
5 Low
2 0 L o w <~ z
3
The reader should verify that the p r o g r a m causes information to flow from x
to y only when _x .~ z_ ~ y_. I!
290 INFORMATION FLOW CONTROLS
1 i f x = 0 t h e n g o t o 4 e l s e x := x - 1
2 ifz = 0 t h e n g o t o 6 e l s e z : = z - 1
3 halt
4 z:=z+l
5 return
6 y'=y+l
7 return
Example:
Execution of the statement "y := x l • x2 + x3" is shown next:
Operation Execution
Operation Execution
Note the check associated with the S T O R E verifies x_! ~ x._.2 ~ x__3 (9 p_£
_<y.m
Figure 5.8 shows how the procedure copy1 in Figure 5.5 can be translated
into instructions on the single accumulator machine. Execution of the program is
left as an exercise.
If the memory tags are variable, security cannot be guaranteed by changing
the semantics of the S T O R E operation to:
will reject secure programs. For example, consider the following program segment
if x = 1 then y := a else y := b.
Execution of this segment causes either a flow a ---~ y or a flow b ---~ y, but not
both. The simple certification mechanism, however, requires that both _a _< y_ and
b ~ y. This is not a problem if both relations hold; but if _a _< y_ holds only when x
w
~- 1, and b _< y_ holds only when x ~ 1, we would like a more precise mechanism.
To achieve this, in Section 5.5 we combine flow proofs with correctness proofs, so
that the actual execution path of a program can be taken into account.
The mechanism described here is based on [Denn75,Denn77]. It was devel-
oped for verifying the internal flows of applications programs running in an other-
wise secure system, and not for security kernel verification.
Example:
The following gives the flow specifications of a procedure that computes the
maximum of its inputs"
procedure max(x: integer class (x);
y: integer class (y);
var m: integer class (x, y));
begin
ifx>ythenm'= xeisem'=y
end
end m a x .
The security class specified for the output m implies that x _< m and
B
y__<m, l
Example:
The following gives the input-output specifications of a procedure that swaps
two variables x and y, and increments a counter i (recording the number of
swaps):
procedure s w a p ( v a r x, y: integer class (x, y);
var i: integer class (i));
vat t: integer class (x, y);
begin
t " = X;
x: = y;
y ' = t;
i'=i+1
end
end s w a p .
Because both x_ _< y_ and y_ .~ _x are required for security, the specifications
state that _x = y_; this class is also assigned to the local variable t. Note that
i is in a class by itself because it does not receive information from either
xory. m
A procedure is secure if it satisfies its specifications; that is, for each input u and
output y, execution of the procedure can cause a flow u ~ y only if the classes
specified for u and y satisfy the relation _u _< y_. The procedures in the preceding
examples are secure.
We shall define the security requirements for the statement (body) S of a
procedure recursively, giving sufficient conditions for security for each statement
type. These conditions are expressed as constraints on the classes of the param-
eters and local variables. A procedure is then secure if its flow specifications (i.e.,
294 INFORMATION FLOW CONTROLS
class declarations) imply these constraints are satisfied. The conditions are not
necessary for security, however, and some secure programs will be rejected. Initial-
ly, we assume S is one of the following"
1. Assignment: b := e
2. Compound: begin Sx; . . . ; S n end
3. Alternation: if e then S~ [else Sz]
4. Iteration: while e do S~
5. Call: q(ax, . . . , am, bl, . . . . b n)
where the S i are statements, and e is an expression with operands a~ . . . . . an, which
we write as
e = f(al,..., a n) ,
where the function f has no side effects. The class of e is given by
£=_a,e...e_a,.
We assume all data objects are simple scalar types or files, and all statements
terminate and execute as specified; there are no abnormal terminations due to
exceptional conditions or program traps. Structured types and abnormal program
terminations are considered later.
The security conditions for the explicit flow caused by an assignment are as
follows'
S e c u r i t y conditions f o r assignment:
Execution of an assignment
b "~ e
is secure if e .~ b . 1
Because input and output operations can be modeled as assignments in which the
source or target object is a file, they are not ~considered separately here.
Because the relation .~ is transitive, the security conditions for a compound
statement are as follows:
S e c u r i t y conditions f o r compound:
Execution of the statement
begin S ~ ; . . . ; S. end
is secure if execution of each of S~, . . . , S n is secure. I
if statement can cause implicit flows from e to each bj. We therefore have the
following:
is secure if
(i) Execution of S~ [and $2] is secure, and
(ii) _e _< S, where S = $1 [® $2] and
S~ = ®{bib is a target of an assignment in $1} ,
S_~ = ®(_b I b is a target of an assignment in $2} 1
Condition (ii) implies e .~ _bl ® . . . ® _bm, and, therefore, _e _< b~. (1 ~ j ~ m).
Example:
For the following statement
if x > y then
begin
Z "= W;
i-=k+l
end ,
If bt . . . . . bm are the targets of flows in S~, then execution of the statement can
cause implicit flows from e to each bj. Security is guaranteed by the same condi-
tion as for the if statement:
is secure if
(i) S terminates,
(ii) Execution of St is secure, and
(iii) _e .~ S, where S = $1 and
S~ = ® ( b i b is a target of a possible flow in Sx}. 1
Because other iterative structures (e.g., for and repeat-until) can be described in
terms of the while, we shall not consider them separately here.
Nonterminating loops can cause additional implicit flows, because execution
296 INFORMATION FLOW CONTROLS
q(a~ . . . . . a m, b~. . . . . b n) ,
where al, . . . , a,,, are the actual input arguments and b l , . . . , b n the actual input/
output arguments corresponding to formal parameters Xl, •. •, Xm and Yl, . . . , Yn,
respectively. Assuming q is secure, execution of q can cause a flow a; ~ bj only if
x; _< yj; similarly, it can cause a flow b;--~ bj only if y; _< yj. We therefore have
the following'
q(al . . . . . a m, bl . . . . . bn)
is secure if
(i) q is secure, and
(ii) a;_<b_j if x ; _ < y j (1 _ < i _ < m, 1 _ < j _ < n) and
bi ~ bj if y_i.~ Yj ( l _< i _< n, l _< j _< n) 1
Example:
Consider the procedure m a x ( x , y, m) of the preceding section, which assigns
the maximum of x and y to m. Because the procedure specifies that x _~ m m
and y_ _< m for output m, execution of a call " m a x ( a , b, c)" is secure if a_ _< _c
and b ~ c. II
Example:
The security requirements of different statements are illustrated by the pro-
cedure shown in Figure 5.9, which copies x into y using a subtle combination
of implicit and explicit flows (the security conditions are shown to the right
of each statement). Initially x is 0 or 1. When x = 0, the first test "z = 1"
succeeds, and the first iteration sets y = 0 and z = x = 0; the second test
"z = 1" then fails, and the program terminates. When x = 1, the first test "z
= 1" succeeds, and the first iteration sets y = 0 and z = x = 1; the second
test "z = 1" also succeeds, and the second iteration sets y = 1 and z = 0; the
third test "z = 1" then fails, and the program terminates. In both cases, the
program terminates with y = x. The flow x ---~y is indirect: an explicit flow x
COMPILER-BASED MECHANISM 297
thenz:=x x_< z
else z := 0 Low _< z m
end
end
end copy2
z occurs during the first iteration; this is followed by an implicit flow z ---~
y during the second iteration due to the iteration being conditioned on z.
The security requirements for the body of the procedure imply the
relations _x _< _z _< y_ _< _z must hold. Because the flow specifications state y_
= z = x = (x), the security requirements are met, and the procedure is
m
Example:
As the expression e = "a + b . c " is parsed, the classes of the variables are
associated with the nodes of the syntax tree and propagated up the tree,
givinge=a~b~c. 1
INFORMATION FLOW CONTROLS
f(a1,. . . , an) a,
-e : = - $...$a,
Statement S
b := e S
-: = -b;
verify -e % 5
begin S,; . . . ; S , end s : =-S , e . . . @:,
-
if e then S , S := -
- S , [ 8-
S,] ;
[else S,] verify -e 5 S-
while e do S , S := -
- S,;
verify 5 5 S
q ( a l ,. . . , am;b,, . . . , b,) verify 5, I4 if xiI3
verify ii 5 4 if ziIyj
S:=-
- b,e . . . el?,
Example:
Figure 5.10 illustrates the certification of the statement
if a = b then
begin
c := 0;
d:=d-t 1
end
elsed := c * e .
The overall parse is represented as a syntax tree for the statement. The
security classes (in parentheses) and verification checks (circled) are shown
opposite each subtree. The semantic actions propagate the classes of expres-
sions and statements up the tree. H
(c ® d)
~ b _<_c®,j)
0 d
o
+ 1
,
a[ 1 :n]. We first observe that if an array reference " a [ e ] " occurs within an expres-
sion, where e is a subscript expression, then the array reference can contain infor-
mation about a[e] or e.
Example:
Consider the statement
b "= a[e].
If e is known but a[e] is not, then execution of this statement causes a flow
a[e] --~ b. If a[i] is known for i = 1 . . . . , n but e is not, it can cause a flow e
b (e.g., if a[i] = i for i = 1, . . . . n, then b = e). m
We next observe that an assignment of the form "a[e] "= b" can cause information
about e to flow into a[e].
Example:
If an assignment "a[e] "= 1" is m a d e on an all-zero array, the value of e can
be obtained from the index of the only nonzero element in a. m
If all elements a[i] belong to the same class a, the certification mechanism is
easily extended to verify flows to and from arrays. For an array reference " a [ e ] " ,
the class _a ~ _e can be associated with the reference to verify flows from a and e.
For an array assignment "a[e] "= b", the relation _e _< _a can be verified along with
the relation b _< a.
If the elements belong to different classes, it is necessary to check only the
classes a[i] for those i in the range of e. This is because there can be no flow to or
from a[j] if e never evaluates to j (there must be a possibility of accessing an
object for information to flow).
300 INFORMATION FLOW CONTROLS
Example:
Given a[ 1:4] and b[ 1:4], the statement
if x .~ 2 then b[x] := a[x]
Performing such a flow analysis is beyond the scope of the present mechanism.
As a general rule, a mechanism is needed to ensure addresses refer to the
objects assumed during certification. Otherwise, a statement like "a[e] := b"
might cause an invalid flow b ----~c, where c is an object addressed by a[e] when e is
out of range. There are several possible approaches to constructing such a mecha-
nism. One method is for the compiler to generate code to check the bounds of
array subscripts and pointer variables. The disadvantage of this approach is that it
can substantially increase the size of a program as well as its running time. A more
efficient method is possible if each array object in memory has a descriptor giving
its bounds; the hardware can then check the validity of addresses in parallel with
instruction execution. A third method is to prove that all subscripts and pointer
variables are within their bounds; program proving is discussed in the next section.
The certification mechanism can be extended to control structures arising
from arbitrary goto statements. Certifying a program with unrestricted gotos,
however, requires a control flow analysis of the program to determine the objects
receiving implicit flows. (This analysis is unnecessary if gotos are restrictedmfor
example, to loop exitsmso that the scope of conditional expressions can be deter-
mined during syntax analysis.) Following is an outline of the analysis required to
do the certification. All basic blocks (single-entry, single-exit substructures) are
Example:
Figure 5.11 shows how the c o p y 2 procedure of Figure 5.9 can be written
with gotos and partitioned into blocks. The control flow graph of the pro-
gram is shown in Figure 5.12. Proof that the program is secure is left as an
exercise, m
e2:z~: 1
true
e3:Y~O
false
I F D ( b 1 ) = b2
IFD (b 2) = b 6
IFD (b 3 ) = IFD (b 4) --- I F D (b 5 ) = b 2
302 INFORMATION FLOW CONTROLS
Reitman [Reit79] and Andrews and Reitman [Andr80] show that information can
flow among concurrent programs over synchronization channels.
Example:
Suppose procedures p and q synchronize through a shared semaphore s as
follows:
procedure p(x: integer class {x};
vat s: semaphore class {s, x));
begin
if x = i then signal(s)
end
end p
procedure q(var y: integer class (s, y};
var s: semaphore class (s, y});
begin
y "= 0;
wait(s);
y'= 1
end
end q
where wait(s) delays q until p issues a signal(s) operation. Concurrent execu-
tion of these procedures causes an implicit flow of information from param-
eter x of p to parameter y of q over the synchronization channel associated
with the semaphore s: if x = 0, y is set to 0, and q is delayed indefinitely on s;
i f x = 1, q is signaled, a n d y is set to 1. Thus, i f p and q are invoked
concurrently as follows:
cobegin
p(a, s)
q(b, s)
coend
the value of argument a flows into argument b. I
The flow x ----~y in the preceding example is caused by wait(s) and signal(s),
which read and modify the value of s as follows (the complete semantics of these
operations are not shown):
Read Write
"Process 2"
wait(sO); y "= 1; signal(s/);
"Process 3"
wait(s/); y := 0; signal(s0);
coend
end copy3
Example:
Consider the program copy3 shown in Figure 5.13. When x = 0, process 2
executes before process 3, so the final value of y is 0; when x ~ 0, process 3
executes before process 2, so the final value of y is 1. Hence, if x is initially 0
or 1, execution of copy3 sets y to the value of x. I
Example:
Consider the program copy4 shown in Figure 5.14. Execution of copy4 trans-
304 INFORMATION FLOW CONTROLS
begin
while el do ;
y : = O;
eO := false
end
coend
end
end copy4
Our present certification mechanism would not verify the relations weO _< y_
and e__l..~ y_in the preceding example, because the assignments to y are outside the
loop bodies. To verify these "global flows", Reitman and Andrews consider the
expression e of a statement "while e do S~" to have a global scope that includes any
statement logically following the while; the relation _e _< y_ is verified for every
object y that is the target of an assignment in the global scope. A "while e",
therefore, is treated like a "wait(e)". Extending the certification semantics of
Table 5.4 to verify synchronization and global flows in parallel programs is left as
an exercise.
Reed and Kanodia [Reed79] observed that synchronization flows can also
emanate from a waiting process; because wait(s) modifies the value of s, another
waiting process can be blocked or delayed as a result. They show that by using
eventeounts for process synchronization, information flows are restricted to
signalers.
A signaling process can covertly leak a value by making the length of delay
COMPILER-BASED MECHANISM 305
proportional to the value. The problem is the same as with loops, and there does
not appear to be a satisfactory solution to either.
Information can flow along covert channels associated with abnormal program
terminations.
Example:
Consider the following copy procedure:
procedure copy5(x: integer class (x);
var y: integer class 0);
"insecure procedure that leaks x to y"
begin
y "= 0;
whilex= 0do;
y:= 1
end
end copy5 .
If x = 0, then y becomes 0, and the procedure hangs in the loop; if x = 1,
then y becomes 1, and the procedure terminates. 1
The flow x --~ y in the copy5 procedure occurs because the statement "y := 1" is
conditioned on the value of x; thus there is an implicit flow x ~ y, even though y is
not the target of a flow in the statements local to the loop.
Such covert flows are not confined to nonterminating loops.
Example:
If the while statement in copy5 is replaced by the statement"
if x = O t h e n x ' = l/x;
the value of x can still be deduced from y; if x = O, the procedure abnormally
terminates with a divide-by-zero exception and y = O; if x = l, the procedure
terminates normally with y = 1. 1
Indeed, the nonterminating while statement could be replaced by any action that
causes abnormal program termination: end-of-file, subscript-out-of-range, etc.
Furthermore, the leak occurs even without the assignments to y, because the value
of x can be determined by whether the procedure terminates normally.
Example:
Consider this copy procedure:
306 INFORMATION FLOW CONTROLS
Example:
If the statement
on overflow s u m do z "= 1
were added to the c o p y 6 procedure, the security check s u m _~ z_ would be
made, and the procedure would be declared insecure, m
This still leaves the problem of undefined traps and abnormal terminations
from timeouts and similar events (overflowing a page limit or punched card limit,
or running out of memory or file space). Many such problems can be eliminated
by proving properties about the security and correctness of procedures; this is
PROGRAM VERIFICATION 307
discussed in the next section. A mechanism that detects and logs abnormal termi-
nation of certified procedures is also essential.
Example:
Consider this procedure:
procedure copy7(x, a, b: integer; var y: integer);
if x = 1 t h e n y ' = a e l s e y ' = b
end copy7.
Because of the implicit flow from x to y and the explicit flows from a and b
to y, the certification mechanism requires the following relations hold for
any execution of copy7:
x _ ~ y , a ~y_,andb_ ~ y .
This is stronger than necessary, because any particular execution will trans-
fer information from either a into y or from b into y but not both. I
permits. The bound may also be expressed as a join of the information states of
other variables, as in v _< =u~ ~ . . . ~ __u,, which states v contains information no
more sensitive than that in Ul. . . . . Un.
A special class pc represents the information state of the program counter
(Andrews and Reitman call this class local); ~ simulates the program counter
class pc in Fenton's Data Mark Machine (see Section 5.3.3), and is used to prove
properties about implicit flows.
Assertions about the classes of variables can be combined with assertions
about their values. An assertion about the final state of the copy7 procedure is
given by:
(~..C .~ PCc7,
(x = 1) D ~ <_ ~ ~ =a~ PCe7 ) , (x ~ 1) D (~ ~< __x~ =b~ PCc7) ) ,
where PCc7 represents a bound on ~c upon entering copy7. This says when x = 1,
the information in y is no more sensitive than that in x, a, and the program counter
pc; when x ~ 1, the information in y is no more sensitive than that in x, b, and pc.
In the flow logic, execution of an assignment statement
v :=f(ul, . . . , u n)
is described by the assertion
=v<__u~e...e~,_
relating the information state of v to that of u ~ , . . . , u n. Note that this differs from
the certification mechanism of the previous section, where the assignment state-
ment imposes the security condition
_ux e . . . e_Un--<_v,
relating the fixed security class of v to that of u~, . . . , u,. Section 5.5.6 shows how
security conditions relate to assertions in the flow logic.
An assertion P will be expressed as a predicate in first-order calculus using
"," for conjunction, " : 3 " for implication, " ~ " for negation, and " V " for univer-
sal quantification (we shall not use disjunction or existential quantification in our
examples).
Let P and Q be assertions about the information state of a program. For a
given statement S,
{e} S {Q)
P[x ~ y]
means the assertion P with every free occurrence of x replaced with y.
The simplest proof rule is the rule of consequence:
PROGRAM VERIFICATION 309
Rule of consequence:
Given: P ~ F, ( F ) S (Q'), Q' ~ Q
Conclusion: (P) S (Q) 1
The axioms and proof rules for each statement type are now given in Sec-
tions 5.5.1-5.5.5.
,5.5.1 Assignment
Example:
Consider the statement
y:=x+l.
The axiom can be used to prove that the precondition (0 _< x .~ 4) implies
the postcondition (1 _< y .~ 5):
(0 _< x _< 4)
{1 .~ ( x + 1 ) . ~ 5)
y:=x+l
( 1 . ~ y _ < 5).
The second assertion follows from the first by simple implication. The third
follows from the second (and the effect of executing the assigment state-
ment) by the axiom for assignment, n
Example:
The following is also true:
(x = 3, z = O)
310 INFORMATION FLOW CONTROLS
y'=x+l
(1 ~ < y ~ < 5 ) . l
Assignment axiom:
(P[b ~--- e; __b~ _e ~ pc]) b "= e (P) 1
This states the sensitivity of b after the assignment will be no greater than that of e
and pc before the assignment.
Example:
Suppose execution of the statement "y "= x + 1" is conditioned on the value
of variable z. Given the precondition (0 .~ x ~ 4, p_c _< z=), we can prove:
(0 ~ x ~ 4,~c. ~ =z)
(0 .~ x .~ 4, _x O pc .~ x_ ~ z_,12£ _< z_)
y'=x+l
(1 _< y <_ 5, y___< __x~ z_,£f _< =z)
The postcondition (y= _< _x_ ~ __z}states that the information in y after the
statement is executed is no more sensitive than that in x and z. 1
5.5.2 Compound
Compound rule:
Given: (el } Si (el+l} for i = 1. . . . ,n
Conclusion: (P1} begin $1; . . . ; S n end (Pn+~) 1
Example:
Consider the statement
The following proves y = x mod n when x ~. 0 and n > 0, and y= _< x= ~ __n
when pc _< Low:
(x >_ O, n > 0 , ~ _< L o w )
begin
(0 _< x - (x div n ) , n < n, x__ ~ =n _< x_ ~ _n, p c _< L o w )
i "= x div n;
(O _< x - i*n < n, i _< x ~ n, p c _< Low}
(O_<x-i*n< n, ( x - i , n - x ) m o d n = O,
x • i • n _< x ~ n, p c _ < L o w )
yT= ; - 7 , n
end
(O _< y < n, (y - x) m o d n = O, y___< ~ O n, p c _ < L o w } .
Because the initial value of i does not flow into y, its class does not appear in
the postcondition. The proof consists of a sequence of statements and asser-
tions. Each assertion follows from its preceding assertion either by simple
implication (e.g., the second and fourth assertions), or by the axioms and
proof rules (e.g., the third and fifth assertions). 1
5.5.3 Alternation
where $2 is the null statement when there is no else part. The proof rule for
correctness follows:
Given: (e, e) $1 (Q)
(e, ~ e) $2 (Q)
Conclusion: (P) if e then $1 else $2 (Q) I
Example:
Consider the statement
if x _ > 0 t h e n y : = x e l s e y : = - x .
We can prove that execution of this statement sets y = Ixl for any initial
value of x:
()
if x > _ 0
(x _> O)
(x >_ 0, x = ]xl)
then y := x
(y = l x l )
(x < O)
312 INFORMATION FLOW CONTROLS
(x < o, - x = Ixl)
else y "= - x
(y = l x [ }
(y = Ixl). m
To extend the proof rule to secure information flow, we must account for the
implicit flow from e into $1 and $2 via the program counter. To do this, the
precondition P is written as a conjunction P = {V, L), where L is an assertion
about pc and V is an assertion about the remaining information state. Similarly,
the postcondition Q is written as a conjunction Q = (v', L). On entry to (and exit
from) $1 and $2, L is replaced with an assertion L' such that (V, L) implies the
assertion L'[p~. ~-- p_.~~ =e]. This allows the class pc to be temporarily increased by
e on entry to S~ or $2, and then restored on exit. Because p_.~.is restored after
execution of the if statement, the assertion L is invariant (i.e., it is the same in P
and Q); however, the assertion V may be changed by $1 or $2. We thus have the
following rule:
Alternation rule:
Given: P = (V, L), Q = (V', L)
(V, e, L') S, (V', L')
(V, ~,e, L') Sz (V', L')
P D L' [ ~ - - L ~ ~ _ _ e ]
Conclusion: (P) if e then $1 else $2 (Q) II
Example:
Consider the statement
if x = 1 theny'= aelsey'= b
( x ¢ 1, pc_<x)__
(x :/: 1, pc ~ b <~ x ~ b, pc <~ x)
else y := b
(x =/: 1, y__ <~ x ~ b, pc <~ x)
(p_c __< Low,
( x = 1) ~ ~_<_x_~__a),(x ~ 1) ~ ~=_< = x ~ b ) ) . II
5.5.4 Iteration
while e do $1.
Iteration rule:
Given: P = (V, L)
(V, L', e) S, (V, L')
P ~ L' [pc ~---/~e. $ e]
Conclusion: (P) while e do S~ (P, --~e) II
- " =5 7 ¸ ~ . . . . .
314 INFORMATION FLOW CONTROLS
Example:
Consider the following procedure, with precondition and postcondition as
shown:
procedure f(var yl, y2" integer);
begin
y2 := yl;
yl := 0
end
PROGRAM VERIFICATION 315
Example:
Consider the following procedure, which deciphers a string x (we shall as-
sume the key is part of the decipher function)"
procedure decipher(x: string "ciphertext,';
var y: string "plaintext");
"decipher x into y"
~pc _< PCd~
"decipher transformation"
(y_ _< _-x ~ PC d, pc <_ PC d)
end decipher .
The postcondition states the final state of y is no more sensitive than the
state of x and the program counter.
Now, consider the procedure shown in Figure 5.15, which calls deci-
5.5.6 Security
Proving a program satisfies its assertions does not automatically imply the pro-
gram is secure. The assertions must also satisfy the security requirements imposed
by the flow policy.
Given a statement S and a proof (P) S (Q}, execution of S is secure if and
only if:
1. P is initially true,
2. For every object v assigned to a fixed security class _v, Q
(v_< v)
m
The second requirement states that the information represented in the final
value of v (represented by v) must be no more sensitive than that permitted by the
class v.
m
Example:
Earlier we proved:
<_ Low)
if x = 1 t h e n y ' = a e l s e y : = b
(p_£ _< Low,
( x = 1) 2) ~ ~ x = O _ a ) , (x ~ 1) 2) (~_<__xO__b)} .
Let x = l, _x = Low, _a = Low, b = High, y = Low, and pc = Low. Since
PROGRAM VERIFICATION 317
the postcondition does not contain any assertions about the sensitivity of
information in x, a, or b, it does not imply that x _< Low, a _< Low, b
_< High, and Z _< Low. To show execution of this statement is secure, we
instead prove:
(x = 1, _-x _< Low, _-a _< Low, _-b _< High, p_~. _< Low)
if x = 1 t h e n y ' = a e l s e y ' = b
(x = 1, _x _< Low, _a .~ Low, b .~ High, y_ _< x_ • _a, p_f_ _< Low}
m
Example:
Consider the following statement, which passes objects c and p to the proce-
dure getmsg of Figure 5.15 (we have chosen the same names for our actual
arguments as for the formal parameters of g)
getmsg(c, p) .
Let a = 3 (Top Secret), _a = 0 (Unclassified or Low), _c = 2 (Secret), p_ = 3,
and PC = 3. Because a ~. 2, the ciphertext c will be deciphered, and the
result assigned to p. We can prove:
( a = 3, a _< Low, c_< 2 , ~ ~ 3)
(a .~ Lo~v, l~. -< 3~
V u:(__a ~ Low, _-u _< 3, p_c _< 3) D
( a = 3, a = ~ L o w , = c _ < 2,__u_< 3, p_c_< 3))
getrnsg(c, p)
(a = 3,_a _< Low,_c _< 2,/~ _< 3, p__f__< 3) .
Because the postcondition implies the contents of each object is no more
sensitive than its fixed class, the preceding call is secure.
Next let a = 1 (Confidential), _a = 0, _c = 2, p_ = 1, and PC = 1. Here a
< 2, so c will not be deciphered, and p will be assigned the null value. We
can prove:
(a = 1, a _< Low, c ~ 2 , ~ . ~ 1)
( a _< Lo~v, ~ _< 1~
Vu:(__a_<Low,__u_< 1 , ~ ~ 1) D
( a = 1 , _ a _ < L o w , £ _ < 2, u_< 1, p_£_< 1))
getmsg(c, p)
( a = 1 , _ a ~ _ L o w , £ _ < 2 , 1 2 _ < 1, p_f _< 1) .
Again the postcondition implies execution of the call is secure.
If a ~. 2 and/~ < _c, we cannot prove execution of the call is secure
(because it is not secure!msee exercises at the end of Chapter). Assuming
only verified programs are allowed to execute, this means a top secret pro-
cess, for example, cannot cause secret ciphertext to be deciphered into a
lower classified variable, m
Once a procedure has been formally verified, we would like assurances it has
318 INFORMATION FLOW CONTROLS
not been tampered with or replaced by a Trojan Horse. This is a good application
for digital signatures (see Section 1.3.1). The verification mechanism would sign
the code for a procedure after its security had been proved, and the operating
system would not load and execute any code without a valid signature.
Efforts to build verifiably secure systems have been motivated largely by the secu-
rity requirements of the Department of Defense. Prior to the 1970s, no commer-
cially available system had withstood penetration, and no existing system could
adequately enforce multilevel security. To deal with this problem, classified infor-
mation was processed one level at a time, and the system was shut down and
cleared before processing information at another level. This was a costly and cum-
bersome mode of operation.
In the early 1970s, the Air Force Electronic Systems Division sponsored
several studies aimed at developing techniques to support the design and verifica-
tion of multilevel security systems. The methodology that emerged from these
studies was founded on the concept of security kernel (see Section 4.6.1), and was
reported in papers by Anderson [Ande72], Schell, Downey, and Popek [Sche72],
Bell and Burke [Bell74], and Bell and LaPadula [Bell73]. By the late 1970s, the
methodology had been applied (to various degrees) to the design and verification
of several security kernels including those listed in Section 4.6.1.
A security kernel is specified in terms of states and state transitions, and
verified following the general approach described in Section 4.6.3. The multilevel
security requirements of the kernel are based on a model introduced by Bell and
LaPadula at MITRE [Bell73]. The model assumes objects have fixed security
classes; this assumption is formalized by an axiom called the tranquility principle.
Multilevel security is given in terms of two axioms called the simple security
condition and the ,-property (pronounced "star-property"). The simple security
condition states that a process p may not have read access to an object x unless x
p_. The ,-property states that a process may not have read access to an object x
and write access to an object y unless _x ~ y_. This is stronger than necessary,
because p may not cause any information flow from x to y; applications of the
model to security kernel verification have relaxed this to require x ~ y_ only when
y is functionally dependent on x.
Researchers at MITRE [Mil176,Mil181] and at SRI [Feie77,Feie80] have
developed techniques for verifying multilevel security in formal program specifica-
tions expressed as V- and O-functions (see Section 4.6.3). Flows from state varia-
bles are specified by references to primitive V-functions, and flows into state
variables by changes to primitive V-functions (specified by the effects of O-func-
tions). Security is verified by proving the security classes of the state variables and
of the process executing the specified function satisfy the conditions for simple
security and the ,-property. The principal difference between security proofs for
FLOW CONTROLS IN PRACTICE
319
specifications and those for programs (such as described in the preceding sections)
is that specifications are nondeterministic; that is, the statements in the effects of
an O-function are unordered.
Feiertag [Feie80] developed a model and tool for verifying multilevel securi-
ty for V- and O-function specifications written in SPECIAL. The tool is part of
SRI's Hierarchical Design Methodology HDM (see Section 4.6.3). A formula
generator constructs formulas from the specifications that either prove or disprove
a module is multilevel secure. Nontrivial formulas are passed to the Boyer-Moore
theorem prover, where they are proved (or disproved) to be theorems. The user
specifies the security classes of the state variables and the partial ordering relation
~ , so the tool is not limited to the military classification scheme. The Feiertag
model is the basis for the PSOS secure object manager [Feie77,Neum80]. The
tool has been used to verify the specifications of both the KSOS-11 and KSOS-6
(SCOMP) kernels. Verification of the KSOS kernel revealed several insecure
channels in the design, some of which will remain as known potential low-band-
width signaling paths [NeumS0].
MITRE [Mill81] has also developed an automated tool for analyzing flows
in modules written in a specification language. The flow analyzer associates se-
mantic attributes with the syntactic types of the specification language in much
the same way as in the compiler-based mechanism described in Section 5.4.3. This
information is then used to produce tables of formulas which, if true, give suffi-
cient conditions for security (as in Feiertag's tool). The analyzer is generated using
the YACC parser generator on UNIX, so it can be easily adapted to different
specification languages; analyzers for subsets of SPECIAL and Ina Jo (the specifi-
cation language developed at SDC) have been implemented.
The MITRE flow analyzer is based in part on the deductive formulation of
information flow developed jointly by Millen [Mi1178] and Furtek [Furt78]. The
deductive formulation describes information flow in a module by transition con-
straints on the values of the state variables on entry to and exit from the module.
Such a constraint is of the form
X l u l "" " x k . k × Y v ,
Example:
Consider the statement (formal specification)
y=x,
relating the new (primed) value of y to the old (unprimed) value of x. This
statement is described by the set of constraints
2
320 INFORMATION FLOW CONTROLS
(Xu × Yvl V vs u} ,
which states that if x initially has the value u, then the new value of y cannot
be v for any v ¢: u. Thus the initial value of x can be deduced from the new
value of y, and the security requirements of the statement are given by the
condition
x<_y. II
Example:
The specification statement
if x = Othen'y=Oelse'y= 1
is described by the set of constraints
(xo× YvlV ~ O) U (x u× yvlu ~ O,v ~ 1),
which shows that access to the new value of y can be used to deduce some-
thing about the initial value of x..The security requirements of this statement
are given by the same condition as the previous statement, n
Example:
Consider the specification statement
ifx<2then'y=a[x] .
(x i a [ i ] . x y v l v ~ u , i < 2 ) .
The security requirements of the statement are thus given by
x_<y_
a[i] _ < y _ f o r i < 2 . !1
5.6.2 Extensions
Practical systems often have information flow requirements that extend or conflict
with the information flow models we have described thus far; for example,
/
FLOW CONTROLS IN PRACTICE 321
The ACCAT Guard [Wood79] is an interesting blend of flow controls and cryp-
tography. Developed by Logicon at the Advanced Command and Control Archi-
tectural Testbed (ACCAT), the Guard is a minicomputer interface between two
computers (or networks of computers) of different classifications (called Low and
High).
The Guard supports two types of communication: network mail and database
transactions. The Guard allows information to flow without human intervention
from Low to High computers, but approval by a Security Watch Officer is re-
quired for flows from High to Low. Figure 5.16 shows the role of the Security
Watch Officer for both types of communication. For mail, information flows in
one direction only, so human intervention is required only for mail transmitted
from High to Low computers (Figure 5.16b). Database transactions always re-
quire human intervention, however, because information flows in one direction
with the query and the reverse direction with the response. Queries from a High
computer to a Low computer must pass through the Security Watch Officer,
322 INFORMATION FLOW CONTROLS
FIGURE 5.16 Information flow through the Guard and Security Watch Officer.
• ,
mail
Low High
Computer Computer
Low High
Computer Computer
Lo w High
Computer Computer
Low High
Computer Computer
though the response can be returned without human intervention (Figure 5.16c).
Queries from a Low to High computer can pass through the Guard without human
intervention, but here the response must be reviewed. The Guard passes the re-
sponse first through a Sanitization Officer, who edits the response as needed to
ABFDEFGHIIJKLMMNOHPP 323
ARPANET
PLIs
Low
High
Computer
Computer
Guard
remove High security information, and then through the Security Watch Officer
(Figure 5.16d).
Figure 5.17 shows the structure of the Guard system. The computers are
connected to encryption devices called Private Line Interfaces (PLIs). The PLIs in
turn are connected to the ARPANET (Advance Research Projects Agency NET-
work) through Interface Message Processors (IMPs) or Terminal Interface Pro-
cessors (TIPs). Separate encryption keys logically connect the Low computers to a
Low process in the Guard and the High computers to a High process in the Guard.
Because the keys are different, the Low and High computers cannot communicate
directly.
The Low and High processes run in a secure UNIX environment (such as
provided by KSOS). Flows from Low to High processes in the Guard are handled
324 INFORMATION FLOW CONTROLS
by the security mechanisms provided by the kernel. Because flows from High
to Low processes violate the multilevel security policy, they are controlled by a
trusted process that interfaces with the Security Watch Officer and downgrades
information. Verification of the downgrade trusted process requires showing that
all flows from High to Low are approved by the Security Watch Officer (see
[Ames80]). The Low and High processes communicate with the trusted processes
through inter-process communication messages provided by the kernel. The Secur-
ity Watch Officer's terminal is directly connected to the kernel to prevent
spoofing.
The multilevel security problem can be solved in part by running each classi-
fication level on a separate machine, and using encryption to enforce the flow
requirements between machines [Davi80]. But this is only a partial solution. As
illustrated by the Guard, some applications must process multiple classification
levels and even violate the general flow policy. These applications must be sup-
ported by a secure system so they cannot be misused. The design and verification
of specialized systems (such as the Guard), however, should be simpler than for
general-purpose systems.
EXERCISES
i
EXERCISES 325
where x and y can each be 0 or 1, with both values equally likely, and z is
initially 0. Compute the equivocations H z, (x) and H z, (y).
5.4 Consider the statement
Z:=X-I'y,
where x and y can each be 0 or 1, with both values equally likely. Compute
the equivocations H z, (x) and H z, (y).
5.5 Let x be an integer variable in the range [0, 232 - 1], with all values equally
likely. Write a program that transfers x to y using implicit flows. Compare
the running time of your program with the trivial program "y "= x".
5.6 Consider the lattice in Figure 5.1. W h a t class corresponds to each of the
following?
a. AOB, A®B
b. BOI, B® I
c. B~C,B®C
d. AOC~D,A®C®D
e. AOB~D,A®B®D.
5.7 Trace the execution of the procedure copyl on the Data Mark Machine (see
Figure 5.7 and Table 5.1) for x = 1 when z _< y_. Show that execution of
copyl is secure when _x ~ y_ both for x = 0 and x = t. Note that if x < y,
then either x ~ z or z ~ y.
5.8 Trace the execution of the procedure copy1 on the single accumulator ma-
chine (see Figure 5.8 and Table 5.2) for both x = 0 and x = 1 when x
= High, y_ = Low, _z = High, and p___cis initially Low, showing that execution
of this procedure is secure.
5.9 Draw a syntax tree showing how the certification mechanism of Section
5.4.3 verifies the flows in the following statement:
while a > 0 do
begin
a'=a-x, .
b'=a,y
end.
5.10 Following the approach in Section 5.4.2, give security conditions for a case
statement:
case a of
vl" $1;
v2: $2;
Vn] an;
end,
where a is a variable and Vl, . . . . Vn are values.
5.11 For each Boolean expression in the copy2 procedure shown in Figures 5.11
and 5.12, identify the set of blocks directly conditioned on the expression.
326 INFORMATION FLOW CONTROLS
Assume the value of x can be any integer (i.e., is not restricted to the values
0 and 1). Use your results to identify all implicit flows in the procedure,
showing that the procedure is secure.
5.12 Extend the certification semantics of Table 5.6 to include the following
statements for concurrent programs:
signal(s);
wait(s);
cobegin $1; . . . ; Sn end.
Your semantics should provide an efficient method of verifying the relations
s _< y_ for every object y that is the target of an assignment in a statement
logically following an operation wait(s). Note that you will have to extend
the semantics of other statements to do this. In particular, you will have to
extend the semantics of the while statement to certify global flows from the
loop condition. Show how the extended mechanism certifies the procedures
copy3 (Figure 5.13) and copy4 (Figure 5.14).
5.13 Given the statement
if x = 0
then begin
t "= a;
y'= t
end,
prove the precondition (x_ .~ Low, pc _< Low) implies the postcondition (x=
<_ Low, (x = O) ~ (y= <_ a), pc <_ Low).
5.14 Prove the precondition implies the postcondition in the following procedure:
procedure mod(x, n: integer; var y: integer); var i: integer;
(n > O, pc <~ PC m)
begin "compute y = x mod n"
i "-- x div n;
y "= x - i,n;
ify < O t h e n y ' = y + n
end.
(0 .~ y < n, (y - x) mod n = 0, y___< .~ ~ __n~ P C m, p_c _< P C m)
end m o d .
5.15 Using the procedure rood in the preceding exercise, prove the following"
(a = 12, n = 5, p_~ _< Low, __n_< Low)
rood(a, n, b)
(b = 2, b _< a, pc _< Low, n _< Low).
5.16 Give a proof rule for an array assignment of the form
a [ i , , . . . , in] := b .
Prove the following:
• //
REFERENCES 327
REFERENCES
Alle70. Allen, E E., "Control Flow Analysis," Proc. Symp. Compiler Optimization, ACM
SIGPLAN Notices Vol. 5(7) pp. 1-19 (July 1970).
328 INFORMATION FLOW CONTROLS
Gat75. Gat, I. and Saal, H. J., "Memoryless Execution: A Programmer's Viewpoint," IBM
Tech. Rep. 025, IBM Israeli Scientific Center, Haifa, Israel (Mar. 1975).
Grie80. Gries, D. and Levin, G., "Assignment and Procedure Call Proof Rules," A C M
Trans. on Programming Languages and Systems Vol. 2(4) pp. 564-579 (Oct. 1980).
Hoar69. Hoare, C. A. R., "An Axiomatic Basis for Computer Programming," Comm.
ACM Vol. 12(10) pp. 576-581 (Oct. 1969).
Jone75. Jones, A. K. and Lipton, R. J., "The Enforcement of Security Policies for Compu-
tation," Proc. 5th Syrup. on Oper. Syst. Princ., ACM Oper. Syst. Rev. Vol. 9(5), pp.
197-206 (Nov. 1975).
Karg78. Karger, P. A., "The Lattice Model in a Public Computing Network," Proc. A C M
Annual Conf. Vol. 1 pp. 453-459 (Dec. 1978).
Lamp73. Lampson, B. W., "A Note on the Confinement Problem," Comm. ACM Vol.
16(10) pp. 613-615 (Oct. 1973).
Lipn75. Lipner, S. B., "A Comment on the Confinement Problem," Proc. 5th Syrup. on
Oper. Syst. Princ., ACM Oper. Syst. Rev. Vol 9(5) pp. 192-196 (Nov. 1975).
Lond78. London, R. L., Guttag, J. V., Horning, J. J., Lampson, B. W., Mitchell, J. G., and
Popek, G. J., "Proof Rules for the Programming Language Euclid," Acta Informa-
tica Vol. 10 pp. 1-26 (1978).
Mi1176. Millen, J. K., "Security Kernel Validation in Practice," Comm. ACM Vol. 19(5)
pp. 243-250 (May 1976).
Mi1178. Millen, J. K., "Constraints and Multilevel Security," pp. 205-222 in Foundations
of Secure Computation, ed. R. A. DeMillo et al., Academic Press, New York (1978).
Mill81. Millen, J. K., "Information Flow Analysis of Formal Specifications," in Proc. 1981
Syrup. on Security and Privacy, IEEE Computer Society, pp. 3-8 (Apr. 1981).
Mins67. Minsky, M., Computation: Finite and Infinite Machines, Prentice-Hall, Engle-
wood Cliffs, N.J. (1967).
Neum80. Neumann, P. G., Boyer, R. S., Feiertag, R. J., Levitt, K. N., and Robinson, L.,
"A Provably Secure Operating System: The System, Its Applications, and Proofs,"
Computer Science Lab. Report CSL-116, SRI International, Menlo Park, Calif.
(May 1980).
Reed79. Reed, D. P. and Kanodia, R. K., "Synchronization with Eventcounts and Sequenc-
ers," Comm. ACM Vol. 22(2) pp. 115-123 (Feb. 1979).
Reit79. Reitman, R. P., "A Mechanism for Information Control in Parallel Programs,"
Proc. 7th Symp. on Oper. Syst. Princ., ACM Oper. Syst. Rev., pp. 55-62 (Dec.
I979).
Rote74. Rotenberg, L. J., "Making Computers Keep Secrets," Ph.D. Thesis, TR-115, MIT
(Feb. 1974).
Rush81. Rushby, J. M., "Design and Verification of Secure Systems," Proc. 8th Syrup. on
Oper. Syst. Princ., ACM Oper. Syst. Rev., Vol. 15(5), pp. 12-21 (Dec. 1981).
Sche72. Schell, R., Downey, P., and Popek, G., "Preliminary Notes on the Design of a
Secure Military Computer System," MCI-73-1, USAF Electronic Systems Div.,
Bedford, Mass. (Oct. 1972).
Weis69. Weissman, C., "Security Controls in the ADEPT-50 Time-Sharing System," pp.
119-133 in Proc. Fall Jt. Computer Conf., Vol. 35, AFIPS Press, Montvale, N.J.
(1969).
Wood79. Woodward, J. P. L., "Applications for Multilevel Secure Operating Systems," pp.
319-328 in Proc. NCC, Vol. 48. AFIPS Press, Montvale, N.J. (1979).
Inference Controls
When information derived from confidential data must be declassified for wider
distribution, simple flow controls as described in the previous chapter are inad-
equate. This is true of statistical databases, which can contain sensitive informa-
tion about individuals or companies. The objective is to provide access to statistics
about groups of individuals, while restricting access to information about any
particular individual. Census bureaus, for example, are responsible for collecting
information about all citizens and reporting this information in a way that does
not jeopardize individual privacy.
The problem is that statistics contain vestiges of the original information. By
correlating different statistics, a clever user may be able to deduce confidential
information about some individual. For example, by comparing the total salaries
of two groups differing only by a single record, the user can deduce the salary of
the individual whose record is in one group but not in the other. The objective of
inference controls is to ensure that the statistics released by the database do not
lead to the disclosure of confidential data.
Although many databases are used for statistics only (e.g., census data),
general-purpose database systems may provide both statistical and nonstatistical
access. In a hospital database, for example, doctors may be given direct access to
patients' medical records, while researchers are only permitted access to statistical
summaries of the records. Although we are primarily interested in protection
mechanisms for general-purpose systems, we shall also describe mechanisms for
statistics-only databases.
331
332 INFERENCE CONTROLS
The information state of a statistical database system has two components: the
data stored in the database and external knowledge. The database contains infor-
mation about the attributes of N individuals (organizations, companies, etc.).
There are M attributes (also called variables), where each attribute Aj (1 ~ j
_< M) has lAi I possible values. An example of an attribute is Sex, whose two
possible values are Male and Female. We let xij denote the value of attribute j for
individual i. When the subscript j is not important to the discussion, we shall write
simply x i to denote the value of an attribute A for individual i.
It is convenient to view a statistical database as a collection of N records,
where each record contains M fields, and xij is stored in record i, field j (see Figure
6.1). Note that this is equivalent to a relation (table) in a relational database
[Codd70,Codd79], where the records are M-tuples of the relation. If the informa-
tion stored in the database is scattered throughout several relations, then the rela-
tion depicted in Figure 6.1 corresponds to the "natural join" of these relations. We
shall assume that each field is defined for all individuals, and that each individual
has a single record.
Example:
Table 6.1 shows a (sub) database containing N = 13 confidential student
records for a hypothetical university having 50 departments. Each record has
M = 5 fields (excluding the identifier), whose possible values are shown in
Table 6.2. The attribute S A T specifies a student's average on the S A T
(Scholastic Aptitude Test) and GP specifies a student's current grade-point.
Unless otherwise stated, all examples refer to this database. 1
External knowledge refers to the information users have about the database.
There are two broad classes of external knowledge: working knowledge and sup-
plementary knowledge. Working knowledge is knowledge about the attributes rep-
resented in the database (e.g., the information in Table 6.2) and the types of
Jan Schlt~rer, Elisabeth Wehrle, and myself [Denn82] have extended the model described
here, showing how a statistical database can be viewed as a lattice of tables, and how different controls
can be interpreted in terms of the lattice structure. Because this work was done after the book had gone
into production, it was not possible to integrate it into this chapter.
STATISTICAL DATABASE MODEL 333
• • ,
, ° •
• ° °
° o .
which specifies all male students majoring in either CS or EE. We shall omit
attribute names where they are clear from context, e.g., " M a l e • ( C S + E E ) " . We
shall also use relational operators in the specification of characteristics, since these
are simply abbreviations for the "or" of several values; for example, "GP > 3.7" is
equivalent to "(GP = 3.8) + (GP -- 3.9) + (GP = 4.0)".
The set of records whose values match a characteristic formula C is called
the query set of C. For example, the query set of C - "Female ° CS" is (1, 4),
which consists of the records for Allen and Davis. We shall write " C " to denote
both a formula and its query set, and IC[ to denote the number of records in C
(i.e., the size of C). We denote by All a formula whose query set is the entire
database; thus C C_ All for any formula C, where " _ " denotes query set inclusion.
Given ]Aj] values for each of the M attributes Aj (j = 1, . . . , M), there are
M
E-- I-I IAji
j=l
possible distinguishable records described by formulas of the form
where aj is some value of attribute Aj. The query set corresponding to a formula of
this form is called an elementary set because it cannot be further decomposed. The
records in an elementary set (if any) are indistinguishable. Thus there are E
elementary sets in the database, some of which may be empty. We let g denote the
maximum size of all elementary sets; thus g is the maximum number of individuals
having identical records, that is, the size of the largest indecomposable query set.
If the number of records N satisfies N ~ E, then every individual may be identi-
fied by a unique elementary set, giving g = 1.
Example:
If we allow queries over all five attributes in Table 6.1, E = (2) (50) (4) (50)
(41) = 820,000; g = 1 because each record is uniquely identifiable. If queries
are restricted to the attributes Sex, Major, and Class, then E = 400; g = 2
because two students have the common characteristic " M a l e • E E • 1978". II
Statistics are calculated over the values associated with a query set C. The
simplest statistics are counts (frequencies) and s u m s :
STATISTICAL DATABASE MODEL 335
count(C) = t C I
sum(C, Aj) = E xij •
iEC
Example:
count(Female • CS) = 2, and sum(Female • CS, SAT) = 1400. II
Note that sums apply only to numeric data (e.g., GP, and SAT). The responses
from counts and sums are used to calculate relative frequencies and averages
(means):
rfreq(C) = count(C) = I C I
N N
avg(C, A j) = sum(C, Ai)
IcI
Example: 1400
avg(Femaleo CS, SAT) - 2 - 700. 1
where the jth exponent for the sum is 1, and all other exponents are 0. Means,
variances, covariances, and correlation coefficients can also be computed. For
example, the mean and variance of attribute A~ are given by:
X 1 = avg(C, A1) = q ( C , 1, 0, . . . , 0)
IcI
cry = var(C, A1) = q(C, 2, 0 . . . . , O) - (X1)2 .
I¢1-1
The covariance of attributes A~ and A2 is given by
By q(C) we shall mean any statistic, or query for a statistic, of the form (6.1).
Another type of statistic selects some value (smallest, largest, median, etc.)
from the query set. We shall write
median(C, Aj)
to denote the median or t-I CI/2q largest value of attribute Aj in the query set C,
where "1--I" denotes the ceiling (round up to nearest integer). Note that when the
query-set size is even, the median is the smaller of the two middle values, and not
their average.
Example:
The set of GPs for all female students is (2.5, 2.5, 2.8, 3.4, 3.8, 4.0); thus
median(Female, GP) = 2.8. II
Statistics derived from the values of m distinct attributes are called m-order
statistics. The attributes can be specified by terms in the characteristic formula C,
or by nonzero exponents ej in Formula (6.1). There is a single 0-order statistic,
namely count(All). Examples of 1-order statistics are count(Male) and sum(All,
GP). Examples of 2-order statistics are count(Male ° CS) and sum(Male, GP).
Note that count(EE + CS) is a 1-order statistic because CS and EE are values of
the same attribute.
Example:
The statistic
sum(EE • Female, GP) = 2.5
is sensitive, because it gives the exact grade-point of Baker, the only female
student in EE. m
Example:
A statistic giving the sum of the exact earnings of IBM and all early music
STATISTICAL DATABASE MODEL 337
Clearly, all sensitive statistics must be restricted (i.e., not permitted). In addition,
it may be necessary to restrict certain nonsensitive statistics if they could lead to
disclosure of sensitive ones.
Example:
Suppose that the only statistics classified as sensitive in the sample database
are those computed from query sets of size 1. Then neither sum(EE, GP) nor
sum(EE • Male, GP) is sensitive. At least one of these statistics must be
restricted, however, because if they are both released, Baker's grade-point is
disclosed:
sum(EE ° Female, GP)
= sum(EE, GP) - sum(EE • Male, GP)
= 12.0 - 9.5
= 2.5. II
Let R be a set of statistics released to a particular user, and let K denote the
user's supplementary knowledge. Statistical disclosure [Haq75] occurs whenever
the user can deduce from R and K something about a restricted statistic q; in
terms of classical information theory (see Section 1.4),
Example:
Disclosure of sum(EE • Female, GP) can lead to personal disclosure of
Baker's GP only if some user knows that Baker is a female student majoring
in EE. The user must also know that Baker is the only female student in EE;
this could be deduced from the statistic:
count(EE ° Female) = 1
or, if this statistic is restricted (because it isolates a single individual), from
eount(EE) - count(EE ° Male) = 4 - 3 = 1 . I!
338 INFERENCE CONTROLS
The amount of information (in bits) that a set of statistics R discloses about a
statistic q is measured by the reduction of entropy: Hg(q) -- HK.R(q).
A disclosure may be either exact or approximate. Exact disclosure occurs
when q is determined exactly; thus, Hg.e(q) = 0. For example, the preceding
disclosure of Baker's grade-point is exact.
Approximate disclosure occurs when q is not determined exactly. Dalenius
describes three types of approximate disclosure [Dale77]. First, a disclosure may
reveal bounds L and U such that L <_ q _< U.
Example:
If it is known only that count(EE • Female) >_ 1, then release of the statistic
R = eount(EE) = 4 implies
1 _< c o u n t ( E E • Female) _< 4 ,
thereby reducing the uncertainty about count(EE • Female) to
Hg.R((count(EE° Female)) = 2
bits of information (assuming all counts in the range [1, 4] are equally
likely). II
Example:
Release of the statistics
count(EE) = 4
eount(EE ° (GP >_ 3.0)) = 3
count(EE ° Male) = 3
count(EE ° Male • (GP _> 3.0)) = 3
reveals that
0 _< sum(EE ° Female, GP) < 3.0 . II
Example:
Suppose an estimate ~ of q is a random variable drawn from a distribution
approximately normal with standard deviation a~,. We then have"
Pr[q~ [~ +_ 1.645tr~]] ~ .90
er[q, [~' _+ 1.960~r~]] ~ .95
STATISTICAL DATABASE MODEL 339
Example:
Let q = s u m ( E E . F e m a l e , GP) = 2.5, p = .95, and k = 1.0. Then an
estimate ~ = 2.0 such that
Pr[q~ [2.0 _+ 0.5]] _~ .95
discloses q. Note that if a released set of statistics shows that q must lie in
the interval [2.0, 3.0], then q is disclosed because [2.0, 3.0] is a 100% confi-
dence interval for every estimate in the interval. I
Note that N~ is similar to the unicity distance of a cipher (see Section 1.4.3); it is
the number of statistics needed to reduce the uncertainty about q to an unaccept-
able level.
Frank [Fran77] has investigated another way of applying information theory
to disclosure. He defines the disclosure set D to be the set of individuals whose
attributes are known. Personal disclosure occurs when the size of this set increases
by at least 1. The uncertainty HK(D ) of D is a function of the frequency distribu-
tion of the variables in the database and a user's supplementary knowledge. This
uncertainty decreases by HK(D) - HK,R(D) when a set R of frequency distribu-
tions is released.
An inference control mechanism must protect all sensitive statistics. Let S be the
set of all statistics, P the subset of S classified as nonsensitive, and R the subset of
S released. Let D be the set of statistics disclosed by R (including the statistics in
R). The statistical database is secure if D _C P; that is, no sensitive statistic is
disclosed by R.
Sensitive statistics
All statistics
Nonsensitive statistics
(given policy)
Disclosed statistics
Released statistics
(given mechanism)
Secure" D c_p
Precise: D = P
INFERENCE CONTROL MECHANISMS 341
We would like the released set R to be complete in the sense that all nonsen-
sitive statistics are in R or are computable from R (i.e., disclosed by R). A system
in which D = P is said to be precise. Whereas secrecy is required for privacy,
precision is required for freedom of information. Figure 6.2 illustrates the require-
ments for security and precision; note the similarity of this figure with Figures 4.4
and 5.4.
The problem is that it can be extremely difficult to determine whether re-
leasing a statistic will lead to disclosure of a sensitive statistic (violating security),
or prevent the release of a complete set of statistics (violating precision). Most
statistics lead to disclosure only when they are correlated with other statistics.
Example:
Although neither of the statistics sum(EE, GP) and sum(EE • Male, GP) is
sensitive, if one is released, the other must be restricted to protect Baker's
grade-point. Furthermore, it must be impossible to compute the restricted
statistic from the set of released statistics. II
This example shows that it is not generally possible to release a complete set
of statistics; thus, any inference control mechanism must be imprecise. If we settle
for releasing a maximal set of statistics, we find that the problem of determining a
maximal set of statistics is NP-complete [Chin80].
Whether a statistic can lead to disclosure depends on a user's supplementary
knowledge. Because it is not usually feasible to account for a particular user's
supplementary knowledge, many mechanisms are based on a worst-case assump-
tion about supplementary knowledge. A mechanism for the student record data-
base, for example, might assume that a user knows the Sex, Major, and Class of
every student, and the GP and SAT of some of the students.
To avoid restricting too many statistics, many statistical databases add
"noise" to the data or to released statistics. The objective is to add enough noise
that most nonsensitive statistics can be released without endangering sensitive
ones--but not so much that the released statistics become meaningless.
Many of the mechanisms depend on the method in which statistics are released.
Census bureaus and other agencies that conduct population surveys have tradition-
ally released statistics in two formats" macrostatistics and microstatistics.
Example:
Tables 6.3 and 6.4 show counts and total SAT scores for the student record
database. The entries inside the tables give statistics for query sets defined
by all possible values of Sex and Class. For example, the entry in row 1,
342 INFERENCE CONTROLS
Class
Sex 1978 1979 1980 1981 Sum
•
Female 1 2 2 1
Male 3 , ,
2 0 2
Sum 4 4 2 3 13 Total
, ,
Class
Sex 1978 1 9 7 9 1 9 8 0 1981 Sum
, ,,
column 3 gives the 2-order statistic count(Female • 1980) in Table 6.3, and
the 3-order statistic sum(Female ° 1980, S A T ) in Table 6.4. The row sums
give statistics for the query sets defined by Sex, and the column sums for the
query sets defined by Class. For example, the sum for column 3 gives the
1-order statistic count(1980) in Table 6.3, and the 2-order statistic sum
(1980, S A T ) in Table 6.4. Finally, the total gives the 0-order statistic count
(All) in Table 6.3 and the 1-order statistic sum (All, S A T ) in Table 6.4. m
Example:
Because Davis is the only female student in the class of 1978, the total S A T
score shown in row 1, column 1 of Table 6.4 should be suppressed; otherwise,
any user knowing that she is represented in the database can deduce her
S A T score (the same holds for column 4, which represents Kline's S A T
score). We shall return to this example and study the principles of cell sup-
pression in Section 6.4.1. m
i
INFERENCE CONTROL MECHANISMS 343
evaluation programs are used to compute desired statistics. These programs have
facilities for assembling (in main memory or on disk) query sets from the records
on the tape, and for computing statistic s over the assembled records. New query
sets can be formed by taking a subset of the assembled records, or by assembling a
new set from the tape.
Because no assumptions can be made about the programs that process the
tapes, protection mechanisms must be applied at the time the tapes are created.
Census bureaus control disclosure by
The 1960 U.S. Census, for example, was distributed on tape as a random sample
of 1 record out of 1000 with names, addresses, and exact geographical locations
removed [Hans71 ]. A snooper would have at best a 1/1000 chance of associating a
given sample record with the right individual.
Macrostatistics and microstatistics have been used for the one-time publica-
tion of data collected from surveys. Because they can be time-consuming and
costly to produce, they are not well suited for the release of statistics in on-line
database systems that are frequently modified.
most of the techniques discussed in this chapter are for these systems. A compre-
hensive discussion of the techniques used by government agencies to protect mac-
rostatistics and microstatistics is given in [U.S.78].
We shall first study methods of attacking statistical databases, and then
study techniques that reduce the threat of such attacks.
Before we can evaluate the effectiveness of existing and proposed inference con-
trois, we must understand the threat. In this section, we shall examine several
kinds of disclosure techniques. All the methods involve using released statistics and
supplementary knowledge to solve a system of equations for some unknown.
Similarly, the user can learn the value of attribute A for I by asking for the
statistic sum(C, A).
Example:
Suppose a user knows Evans is represented in the student record database,
and that Evans is a male biology student in the class of 1979. The statistic
c o u n t ( M a l e • Bio • 1979) = 1
This type of attack may work even when an individual cannot be uniquely
identified. Suppose that an individual I is known to satisfy C and count(C) > 1. If
METHODS OF ATTACK 345
Query-Set-Size Control. These results show that any statistical database needs
at least a mechanism that restricts query sets having fewer than n or more than N
- n records, for some positive integer n:
Query-Set-Size Control:
A statistic q(C) is permitted only if
n_<l c l_< N - n ,
where n >_ 0 is a parameter of the database. I
(See Figure 6.3.) Note that n <_ N / 2 if any statistics at all are to be released. Note
also that this restricts the statistics q(All). In practice these statistics can be
released; if they are restricted, they can be computed from q(All) = q(C)
+ q('-,C) for any C such that n _< [C[ _< N - n.
346 INFERENCE CONTROLS
The query-set-size control provides a simple mechanism for preventing many trivi-
al compromises. Unfortunately, the control is easily subverted. Schltirer [Sch175]
showed that compromises may be possible even for n near N / 2 by a simple snoop-
ing tool called the "tracker". The basic idea is to pad small query sets with enough
extra records to put them in the allowable range, and then subtract out the effect
of the padding. The following describes different types of trackers.
The pair of formulas (C1, C1 ° ~ C 2 ) is called the individual tracker (of I) because
it helps the user to "track down" additional characteristics of I. The method of
compromise is summarized as follows:
I n d i v i d u a l Tracker C o m p ro m i se:
Let C = C1 • C2 be a formula uniquely identifying individual I, and let T
= C1 • ~ C 2 [see Figure 6.4(a)]. Using the permitted statistics count(T) and
count(T + CI • D), compute:
count(C • D) = c o u n t ( T + C I • D ) - c o u n t ( T ) (6.3)
sum(C, A) = s u m ( C / , A) - sum(T, A) .
count(C) = c o u n t ( C / ) - c o u n t ( T ) . I
METHODS OF ATTACK 347
C=C1 • C2
T=C1 • ~C2
C1 C2
CeD
C2
b) q ( C • D ) = q ( T + C 1 • D)-q(T)
Example:
Evans is identified by the formula
C=MaleoBioo 1979 .
Let n = 3, C1 = M a l e , and C 2 = B i o • 1979. Then
T = CI, ,~, C 2
= Male • ~(Bio • 1979) .
We can determine whether Evans is uniquely identified by C and whether his
SAT score is at least 600 by applying Eqs. (6.4) and (6.3), where D = ( S A T
>_ 600)"
count(Male • Bio • 1979)
= count(Male)- count(Male • ~ (Bio • 1979))
348 INFERENCE CONTROLS
= 7 - 6
= 1
c o u n t ( M a l e ° Bio • 1979 • ( S A T ~ 600))
= c o u n t ( M a l e • ~ ( B i o o 1979) + M a l e . ( S A T ~ 600))
- c o u n t ( M a l e • ~ (Bio • 1979))
= 6 - 6
= 0 .
General Trackers. The individual tracker is based on the concept of using cate-
gories known to describe a certain individual to determine other information about
that individual. A new individual tracker must be found for each person. Schwartz
[Schw77] and Denning, Denning, and Schwartz [Denn79] showed that this re-
striction could be removed with "general" and "double" trackers. A single general
or double tracker can be used to compute the answer to every restricted statistic in
the database. No prior knowledge about anyone in the database is required
(though some supplementary knowledge is still required for personal disclosure).
A general tracker is any characteristic formula T such that
2n ~ I T I ~ N - 2n .
Notice that queries q ( T ) are always answerable, because I T[ is well within the
range [n, N - n] (see Figure 6.5).
Obviously, n must not exceed N / 4 if a general tracker is to exist at all.
Schl~Srer [Schl80] showed that if g _< N - 4n, where g is the size of the largest
elementary set (see Section 6.1.2), then the database must contain at least one
general tracker.
vvvvv I ! ! I vvvvv
0 n 2t7 N - 2n N- n N
METHODS OF ATTACK 349
~T
All
q (C) = q (C + T ) + q (C + ~T ) - q (All)
=(w+x+y) +(w+x+z)-(w+x+y+z)
=W+X
q ( C ) = 2q(All) - q ( ~ C + T) - q ( ~ C + ~ T ) . (6.6)
If the user does not know whether the query set is too small or too large,
Formula (6.5) can be tried first; if the queries on the right-hand side are
permitted, the user can proceed; otherwise, Formula (6.6) can be used. Thus,
q ( C ) can be computed with at most five queries. II
Example:
Let n = 3 in the student record database. To be answerable, a query set's size
must fall in the range [3, 10], but a general tracker's query-set size must fall
350 INFERENCE CONTROLS
Once a tracker is found, any restricted statistic can be computed with just a
few queries. We might hope that finding trackers would be difficult, but unfortu-
nately this is not the case. Denning and Schltirer [Denn80a] constructed an algo-
rithm that finds a tracker within O(log2 E) queries, where E is the number of
elementary sets. The algorithm begins by taking a formula C1 such that[ C1 [ < 2n,
and a formula C2 -- All. Then CI is padded and C2 reduced until either [ CI [ or
] C21 falls inside the range [2n, N - 2n]. The padding and reducing is done using a
binary search strategy, whence convergence is in logarithmic time. The results of
an experiment performed on a medical database showed that a tracker could often
be found with just one or two queries. SchliJrer [Schl80] also showed that large
proportions of the possible queries in most databases are general trackers; thus, a
general tracker is apt to be discovered quickly simply by guessing.
Double Trackers. We might hope to secure the database by restricting the range
of allowable query sets even further. Because general trackers may exist for n near
N / 4 , we must make n > N / 4 . Before we consider the security of such a strategy,
let us examine its implications: n = N / 4 already restricts half of all possible query-
set sizes; even this is probably too large for most statistical applications. Any
larger value of n is likely to seriously impair the utility of the database.
METHODS OF ATTACK 3 51
T ~T
f If
k Jt ,
U "~U
q (C) = q (T i + C ) - q (T i)
n _ < l T,.l_< N - n- g
for i = 1 . . . . . u, where g is the size of the largest elementary set. The formulas ~.
can be used to compute any restricted statistic q ( C ) when n ~ N / 2 - g.
Union T r a c k e r C o m p r o m i s e :
Let q ( C ) be a restricted statistic, and let ( 7 ' 1 , . . . , T,) be a union tracker.
Split C into elementary sets $1 . . . . . S t such that C = $1 + • • • + St. For each
Sj, find a T i such that Sj ~ T i (whence S j N T i = 4~), and compute
q ( C ) = q(S1) - ! - . . . . - k q ( S , ) .
q ( C ) = q( T i -I- C ) - q ( T i) , (6.9)
In general, the method is more difficult to apply than general or double trackers,
especially for n near N / 2 - g. Still, it demonstrates that controls restricting only
the sizes of query sets are doomed to failure.
HX-Q
METHODS OF ATTACK 353
for some xj, where X = (xl, • • . , Xu) and Q = (ql . . . . , qm) are column vectors, and
hij= 1 i f j ~ C i a n d h i j = 0 o t h e r w i s e (1 ~ i ~ m , 1 ~j.~N).
Example:
The queries q, = sum(Female, GP) = 19.0 and q2 = sum(Female + Male
• CS ° 1979, GP) = 22.5 correspond to the linear system:
"Xi"
X2
X3
X4
(11o10o010,o0] xx X5
1 1 0 1 0 0 0 1 0 1 1 0 1 X8 22.5
Xs
Xlo
Xll
X12
X18
All the tracker attacks studied in the previous section are examples of linear-
system attacks.
Example:
Suppose k = 3 and consider the following queries:
sum((1, 2, 3}, A) = x~ + x2 + x3 = q,
sum((1, 2, 4), A) = x~ + x2 + x4 = q2
sum((1, 3, 4), A) = x, + x3 + x4 = q3
sum((2, 3, 4), A) = x2 + x3 + X4 = q 4 •
Query-Set-Overlap Control:
A statistic q(C) is permitted only if l c • D I _< r for all q(D) that have been
released, where r > 0 is a parameter of the system. 1
k < m(N,k, 1) ~ 2 k - 1 .
k(k+ 1)<N<k2_k+ i
2
was left open.
Example:
The following illustrates how x7 can be compromised with five queries when
k= 3andr= 1"
q~ = xl + x2 + x3
qz = X4 + X5 "1- X6
q3 = x~ + x4 + x7
q4 = xz + x5 + x7
q5 = x8 + x 6 + x~ .
Then x7 = ( q ~ + q , + q s - q l - q 2 ) / 3 . I
Then
k k-1
qk+i-1- ~ qi
i=1 i=1
Xk2_k+ 1 =
Davida, Linton, Szelag, and Wells [Davi78] and Kam and Uilman [Kam77]
have also shown that a minimum overlap control often can be subverted using key-
specified queries.
Another type of attack uses queries that select some value from the query set. In
this section we consider queries for medians.
Example:
Suppose a user knows that Allen is the only student satisfying the formula
(Female • CS • 1980). Consider these statistics:
1. C . D = (i),
2. median(C, A) = median(D, A), and
3. xj ~ x j , , f o r a l l j , j ' E C U D , j ~ j '
To employ this attack, it is necessary to find two query sets that have the
same median and a single common record. DeMillo, Dobkin, and Lipton
[DeMi77] define m ( k ) to be the number of queries of the form median((il . . . . . ik),
A) needed to find query sets satisfying Properties (1)-(3) under an overlap restric-
tion of r = 1, assuming no two values are the same. They show that compromise of
some x i is always possible within
k + 1 if k is a prime power
re(k) = 4(k z + 1) otherwise
queries if N >_ m ( k ) - 1.
A curious aspect of this result is that it applies to any type of selection
query--including those that lie! As long as the database always retuins some value
in the query set, compromise is possible with any two queries satisfying only
Properties ( 1)-(3).
Example:
Consider these queries:
largest(EE • 1978 + Female ° CS • 1980, GP) = 3.4 (lying)
358 INFERENCE CONTROLS
Dynamic databases that allow insertions and deletions of records are vulnerable to
additional attacks. Hoffman [Hoff77] observed that a query-set-size restriction of
n can be subverted if records can be added to the database. If I C{ < n, then
dummy records satisfying C are added to the database; i f [ C I > N - n, then
dummy records satisfying "--~C are added. Of course, this type of attack presup-
poses that the user has permission to add new records to the database; a user with
statistical access only cannot use this technique.
A second type of attack involves compromising newly inserted records. Let i
be a new record satisfying a formula C, and consider the following sequence of
operations:
q, = q ( C )
insert (i)
q2 = q ( C ) .
Then q(i) = qz - ql. Chin and Ozsoyoglu [Chin79] show this threat can be
eliminated by processing insertions and deletions in pairs.
A third type of attack involves compromising an existing record i in a query
set C by observing the changes to a statistic q ( C ) when (pairs of) records are
added to or deleted from C. If lCI is odd, then i may be determined exactly (see
exercises at end of chapter). Chin and Ozsoyoglu show that this threat can be
eliminated by requiring that all query sets contain an even number of records
(dummy records may be added to achieve this).
These attacks may not pose a serious threat if users with statistics-only
access cannot insert and delete records, or otherwise control the changes being
made to the database. Thus, many systems may not need controls that counter
these attacks.
We have studied two controls that restrict statistics that might lead to compro-
mise: a query-set-size control and a query-set-overlap control. A size control, while
MECHANISMS THAT RESTRICT STATISTICS 359
100
90
80
~= 70
~' 60
8
~ 50
0
~ 40
30
20
10
4 5 6 7 8 9 10
N u m b e r of Attributes Needed for Identification
criterion.? The control, proposed by Schl~rer [Sch176], restricts query sets over
attributes that decompose the database into too many sets relative to the size N of
the database (whence some of the sets are likely to be small). Formally, let C be a
query set over attributes A1, . . . , A m, and let S m = rlim__llAilbe the number of
elementary sets over At, : . . , A m. A statistic q ( C ) is restricted if
Sm/N> t
for some threshold t (e.g., t = .1). The control is extremely efficient and less
restrictive than a m a x i m u m ' o r d e r control. Although it does not guarantee securi-
ty, it can be combined with a simple perturbation technique to provide a high level
of security at low cost.
f
6.4.1 Cell S u p p r e s s i o n
Cell suppression is one technique used by census bureaus to protect data published
in the form of 2-dimensional tables of macrostatistics. It involves suppressing from
the tables all sensitive statistics together with a sufficient number of nonsensitive
ones, called complementary suppressions, to ensure that sensitive statistics cannot
be derived from the published data. The sensitivity criterion for counts is typically
a minimum query-set size. The sensitivity criterion for sums might be an n-respon-
dent, k%-dominance rule, where a sensitive statistic is one in which n or fewer
values contribute more than k% of the total.
Example:
Let us now return to Table 6.4 in Section 6.2.2. Suppose we have a (n, k)
sensitivityrule, where n = 1 and k = 90. Clearly the entries in row 1,
Class
Sex 1978 1979 1980 1981 Sum
Class
Sex 1978 1979 1980 1981 Sum
~fBecause the study was performed after the book had gone into production, it is not possible to
give details here.
?
MECHANISMS THAT RESTRICT STATISTICS 361
where
Xl ~ "'" ~ X n ~. "'" ~ Xm ,
then
d=xx+.-'+Xn •
The statistic q is sensitive if d > (k/lOO)q; that is, if q < q+, where q+ = (100/
k)d (see Figure 6.11). Note that it is actually d that requires protection.
It is considerably more difficult to determine whether a nonsensitive statistic
can be used to derive exactly or approximately--a sensitive statistic. Following
Cox [Cox76,Cox78], we first discuss acceptable bounds on estimates of sensitive
statistics.
Let ~ be an estimate of a sensitive statistic q. Now if ~' ~ q+, then ~ does
not reveal any information about q that would not have been released if q were not
sensitive [i.e., if q >_ (lO0/k)d were true]. Thus, a lower bound on an acceptable
upper estimate of q is given by
0
,
d q =
(1 0)
~ d
362 INFERENCE CONTROLS
,
0 ( lt o>
.}--- d d
Example:
Let k = 90, n = 2, m = 10, q = 950, and d = 900. Then q is sensitive,
because 950 < (100/90)900. An acceptable upper estimate of q is q+
= (100/90)900 = 1000, because q would then have been released. Now, if q
were at the sensitivity threshold (100/90)900 = 1000, we could conclude d
falls in the interval [(2/10) (100/90)900, 900] = [200, 900]. An acceptable
lower estimate of q is thus q- = (2/10) (100/90)z900 = 222.2, which gives a
lower bound of 200 for d. II
x,, 6 x~3 25
8 X22 X23 30
X31 X32 3 20
20 30 25 75
Example:
Consider Table 6 .7, where the variables xij denote sensitive entries that have
been suppressed. The six unknowns are related by the following equations:
Xll + X13 = 2 5 - 6 = 19 (1)
x 2 2 + x 2 3 = 3 0 - 8 = 22 (2)
x3x+x32= 2 0 - 3 = 17 (3)
x~x + xs~ = 2 0 - 8 = 12 (4)
x22+x32= 30-6=24 (5)
x,s+x23 = 2 5 - 3 =22 . (6)
Equations (1)-(6) imply
0 _ < x l , ~ i2 (by 1 and 4) (7)
0 _ < x 1 3 . ~ 19 (by 1 and 6) (8)
O _ ~ x 2 z _ < 22 (by2and5) (9)
0_<x23~22 (by2and6) (10)
0 . ~ x 3 1 _ < 12 (by3and4) (11)
0 . ~ x 8 2 _ < 17 (by3and5) . (12)
These interval estimates can then be used to derive tighter bounds for x18, x22,
x23, and x32. By Eq. (3),
x32 = 1 7 - x 3 1 •
x22 = 2 4 - x 8 2 ;
thus Eq. (1 3) implies
7 _< x22 --< 19 . (14)
By Eq. (2),
x23 = 2 2 - x 2 2 ,
0-12 6 7-19 25
8 7-19 3-15 30
0-12 5-17 3 20
20 30 25 75
Cox [Cox78] gives a linear analysis algorithm that determines interval esti-
mates for suppressed internal cells in a 2-dimensional table. The algorithm is a
modification of the simplex algorithm of linear programming (e.g., see [Dant63]).
If the analysis uncovers unacceptable interval estimates, additional cells are sup-
pressed (the complementary suppressions), and the analysis repeated until all esti-
mates are acceptable. The method does not always determine the minimum set of
complementary suppressions; this is an open problem. Sande [Sand77] has devel-
oped a similar interval analysis procedure.
Cell suppression is limited by the computational complexity of the analysis
procedure. Whereas it has been successfully applied to 2- and 3-dimensional ta-
bles, whether it could be adapted to query-processing systems for general-purpose
databases is an open problem. The set of all possible statistics for a database with
10 fields of data in each record corresponds to a 10-dimensional table. Applying
cell suppression to a table of this size may not be tractable.
b ~b
a.b a ° ~b
~a ~a°b ~a. ~b
Database
man [Frie80] show how some of these attacks can be prevented by suppressing
nonsensitivo statistics whose "implied query sets" fall outside the range [n, .N- n].
Let q ( C ) be a 2-order statistic of the form C = a ° b or C = a + b, where a
and b are values of attributes A and B respectively. The following relations hold
(see Figure 6.13)"
q( a ° ,~b) = q(a) - q(a • b) (1)
q(~a° b)=q(b)-q(a°b) (2)
q( a ° b) = q ( a ) + q(b) - q(a + b) (3)
q ( ~ a ° ~ b) = q(All) - q(a + b)
= q(All) - q(a) - q(b) + q(a ° b) . (4)
Given q(a • b), Eqs. (1) and (2) can be used to derive q(a ° ~ b ) and q ( ~ a
• b), either of which could be sensitive even if q(a • b) is not. The formulas (a ° ~ b)
and (,~ a • b) are called the implied query sets of (a • b), and the statistic q(a ° b) is
restricted if either its query set or its implied query sets falls outside the range [n,
N - n]. If q(All) is permitted (even t h o u g h [ A l l [ > N - n), the formula q ( ~ a °
,~b) can be derived by Eq. (4), so that ( ~ a ° ~ b ) is also implied by (a • b).
Although q(a + b) can also be derived from q(a ° b) by Eq. (3), q(a + b) cannot
lead to disclosure if q ( ~ a ° ~ b ) does not; therefore, it need not be explicitly
checked.
Given q(a + b), we can similarly derive q(a ° b) by Eq. (3), and thereby also
derive q(a ° ~ b ) , q ( ~ a • b), and q ( ~ a ° ~ b). Therefore, the statistic q(a + b) is
restricted if its query set or any of its other implied query sets (a ° b),t (a ° ~ b ) ,
( ~ a ° b), and ( ~ a ° ~ b ) fall outside the range [n, N - n]. Because [ ~ a • ~ b l
= N - l a + b l, it is not necessary to explicitly check the size of both ( , ~ a ° ~ b )
and (a + b).
To summarize: a query q(a ° b) or q(a + b) is permitted if and only if the
sizes of the following query sets fall in the range [n, N - n]"
a.b,a.~b, ~a°b, ~a°~b.
t Friedman and Hoffman did not include (a • b) in their list of implied query sets for (a + b); we
have included it because q(a • b) can be sensitive even if q(a + b) and its other implied queries are not.
366 INFERENCE CONTROLS
By symmetry, the queries q ( ~ a ° b), q(a • ~ b ) , q(,-,~a ° --~b), q(,'~a + b), q(a +
-~b), and q('-~a + ~ b ) have the same four implied query sets. The four implied
query sets partition the database as shown in Figure 6.13. The partitioning is such
that given a statistic over any one of these areas (or over three of the four areas),
then the same statistic can be computed over all the areas using only lower-order
statistics [namely q(a), q(b), and q(All)].
Because the database is partitioned by the four query sets, it is not possible
for one of the sets to be larger than N - n unless some other set is smaller than n;
therefore, it is not necessary to check upper bounds. It is necessary to check all
four lower bounds, however, because any one of the four query sets could be
sensitive even if the other three are not. We also observe that if the four 2-order
query sets are not sensitive, then the 1-order statistics q(a) and q(b) cannot be
sensitive. The converse, however, is not true.
Example:
We shall show how two attacks aimed at learning Baker's GP can be thwart-
ed by checking implied query sets. Because Baker is the only Female student
in EE, her GP could be derived using the following:
sum(Female ° EE, GP)
= sum(Female, GP) + sum(EE, G P ) - sum(Female + EE, G P ) .
Because the query set (Female + EE) has the implied query set (Female °
EE) where lFemale ° E E l = 1, the statistic sum(Female + EE, GP) would
be suppressed, thwarting the attack.
Similarly, Baker's GP could be derived from:
sum(Female ° EE, GP)
= sum(Female, GP) - sum(Female ° ~ E E , G P ) .
Because the query set (Female • ~ E E ) has the implied query set (Female •
~ , - , E E ) = (Female • EE), the statistic sum(Female ° ~ E E , GP) would
similarly be suppressed, thwarting the attack. 1
q( al" a2 . . . . • am)
q( ax ° a2°....~am)
q( al ° ~ az . ' " ° ~ a m)
q ( ~ a l ° a2 ' ' ' " " a m)
q ( ~ a l ° a2 ' ' ' " ° " - ' a m)
MECHANISMS THAT RESTRICT STATISTICS 367
b ~b
a°b° c ao ~ b o c
aobo,-~c a° ~b. ~c
~a°b° c ~a ° ~b ° c
~a
~a°bo ~c ~a°~b.~c
Database
I m p l i e d - Q u e r i e s Control:
An m-order statistic over attribute values al . . . . . a m is permitted if and only
if all 2 m implied query sets listed above have at least n records. 1
Figure 6.14 shows the eight implied query sets for the case m = 3. The
formulas relating a statistic q computed over one of the query sets to the remain-
ing query sets are:
q( ao b° ~c) = q(a° b) - q ( a ° b ° c)
q( a o ~b° c) = q ( a ° c) - q ( a o b ° c)
q(~a ° b° c) = q ( b ° c) - q ( a ° b ° c)
q( a ° ~ b ° ~ c ) = q ( a ° ~ b ) - q ( a ° ~ b ° c)
= q(a) - q ( a ° b) - q ( a ° c) + q ( a ° b ° c)
q(~ao ~bo c) = q(c) - q ( a o c) - q ( b o c) + q ( a ° b o c)
q(~a° b ° ~ c ) = q ( b ) - q ( a ° b) - q ( b ° c) + q ( a ° b ° c)
q ( ~ a ° ~ b • ~ c ) = q ( A I l ) - q ( a ) - q ( b ) - q(c)
+ q(aob) + q(aoc) + q(boc) - q(aob°c) .
B
b~ b2 ••• bt
01 q(a, • b2) ... q(al • b t) q(a,)
a2 q(a2 • b,) q(a2 • b2) ... q(a2 • b t) q(a2)
Suppressing statistics that directly imply q ( a l ° b~) does not, however, preclude
deduction of q ( a i ° bl) from queries about disjoint subsets of ai or bl. For example,
q ( a l ° bl) = q ( b l ) - [q(a2 ° b l ) Jr . . . . - b q ( a s . bx)].
This example suggests that for a given m-order statistic over attributes AI,
..., it would be necessary to check all elementary sets defined by these attri-
A m,
butes. If each attribute A i has [ Ai[ possible values, this would involve checking
m
17 IA, I
i=1
query sets.
It is more efficient to keep a history of previously asked queries for the
purpose of determining whether each new query causes compromise (see Section
6.3.3) than it is to determine whether a query could potentially cause compromise.
Moreover, the implied-queries approach is likely to be much less precise, because
the additional queries needed to cause compromise may never be asked.
6.4.3 Partitioning
Yu and Chin [Yu77] and Chin and Ozsoyoglu [Chin79] have studied the feasibil-
ity of partitioning a dynamic database at the physical level into disjoint groups
such that:
MECHANISMS THAT RESTRICT STATISTICS 369
Sex Class
19~78 .....197~J '1980 1981
Female 2 2 0
Male 4 2 0 2
The first two conditions prevent attacks based on small query sets and insertion or
deletions of records (see Section 6.3.5). The third condition prevents exact disclo-
sure from attacks based on isolating a particular individual--for example, by
using a tracker or a linear system of equations. Clever query sequences can at best
disclose information about an entire group.
Example:
Table 6.10 gives counts for a possible partitioning of the student record
database when k = 1. Because the database has an odd number of records,
the record for Kline has been omitted. Because the query set " F e m a l e •
1978" contains a single record and the set " M a l e ° 1978" contains an odd
number of records (3) these sets have been merged (Olsson calls this "rolling
up" [Olss75]). A query for a statistic c o u n t ( M a l e • 1978) would thus return
count(1978) = 4 (rather than 3), and a query eount(EE) would return
count(1978 + F e m a l e • 1980 + M a l e ° 1981) = 8 (rather than 4) because
there are E E majors in all three groups. II
Student
Example:
Figure 6.15 illustrates a partitioning of the student record database by Sex
and Class similar to the partitioning in Table 6.10. The populations at the
leaves of the hierarchy are atomic, and the populations at the middle level
form two clusters: Sex = (Male, Female) and Class = (1978, 1979, 1980,
1981}. m
q(P) is permitted if and only if q(P') is permitted for every population P' in
a cluster with P.
1 q(P) is permitted if q(S) is permitted for any subpopulation S of P.
If Pa, . . . . Pm are atomic populations in the same cluster, condition (1) says that if
any Pi must be suppressed, then all Pi must be suppressed. This may be much more
restrictive than necessary.
A User Knowledge Construct (UKC) defines groups of users and their sup-
plementary knowledge about the database, the operations permitted to members of
the group, and the security constraints of the group. Security information in both
MECHANISMS THAT ADD NOISE 371
the PDCs and a UKC is used to determine whether a statistic should be released to
a particular user.
Feige and Watts [Feig70] describe a variant of partitioning called microag-
gregation: individuals are grouped to create many synthetic "average individuals";
statistics are computed for these synthetic individuals rather than the real ones.
Partitioning may limit the free flow of statistical information if groups are
excessively large or ill-conceived, or if only a limited set of statistics can be com-
puted for each group. But if a rich set of statistical functions is available, large
groups may not severely impact the practicality of some databases.
Dalenius and Denning [Dale79] considered the possibility of a single-parti-
tion database; that is, the only available statistics are those computed over the
entire database. All released statistics would be finite moments of the form:
N
q(All, el,
• . . ~
e M) = ~ el ez eM
XilXi2 • . . XiM,
i=1
where
el + e2 + . . . + eM--< e
for some given e. Because all statistics are computed over the entire database,
disclosure is extremely difficult if not impossible. At the same time, it is possible
for the statistician to compute correlations of attributes.
We considered the feasibility of releasing all moments for a given e as an
alternative to releasing macrostatistics or microstatistics. This approach would
provide a richer set of statistics than are provided by macrostatistics, but a higher
level of protection than provided by microstatistics. The total number of moments
increases rapidly with e and M, however, so it may not be feasible to compute and
release more than a relatively small subset of all possible moments. The total
number of moments over M variables is given by
me(M ) = ( M + e) .
e
Example:
If M = 40, then m2(40) = 861 and m~(40) = 12,341. !1
Restricting statistics that might lead to disclosure can be costly and imprecise,
especially if we take into account users' supplementary knowledge. Consequently,
there is considerable interest in simple mechanisms that control disclosure by
adding noise to the statistics. These mechanisms are generally more efficient to
apply, and allow the release of more nonsensitive statistics.
i ~iI ~ i . . . .
372 INFERENCE CONTROLS
Given a rounded value r(q), a user can deduce that q lies in the interval [r(q) - b'
+ 1, r(q) + b' - 1]. For example, if b = 5, then r(q) = 25 implies q e [23, 27].
Under certain conditions, it is possible to recover exact statistics from their
rounded values. Let C1 . . . . , Cm be disjoint query sets, and let Cm+ 1 = C1 U . . . tA
Cm; thus, qm+l = ql + .. • + qm, where qi = sum(C/, A) for some attribute A (1 ~ i
m + 1). Let [L i, U/] be the interval estimates for each r(qi), and let L = L1 "1-
. . . + L m and U = U1 + . . . + Um. Achugbue and Chin [Achu79] show that it is
possible to deduce the exact values of the qi from the rounded values r(qi) when
either:
qi = U / (1 _< i .~ m )
qm+l = Zm+l, or
(ii) L = Um+l, in which case
qi = Li (1 _< i _ < m )
qm+l = Um+l •
i
Lm+ 1
!
Um + 1
t
Lm+ 1
i
Um+ 1
Case (ii) Disclosure
MECHANISMS THAT ADD NOISE 373
r(qi) Li Ui
ql 15 13 17
q2 10 8 12
q3 15 13 17
q4 20 18 22
52 68
qm+l 70 68 72
, ,,
Example:
Table 6.12 shows how exact values can be recovered from a 2-dimensional
table of rounded sums, where the rounding base b is 5. Here the total must
be at least 76, which is achievable only when the entries inside the table
achieve their maximum possible values. Ii
10 20 35
10 20 40
25 50 80
(a) Table of Rounded Values.
14 24 38
14 24 38
28 48 76
(c) Table of Exact Values.
Zp = E [q - r(q) Ip
q
R a n d o m - S a m p l e - Q u e r y Control:
Given a query q(C), as the query processor examines each record i in C, it
applies a selection function f(C, i) that determines whether i is used to
compute the statistic. The set of selected records forms a sampled query set
C * = (i e CIf(C, i) = 1) ,
from which the query processor returns q* = q(C*). A parameter p specifies
the sampling probability that a record is selected, m
The uncertainty introduced by this control is the same as the uncertainty in sam-
piing the entire database, with a probability p of selecting a particular record for a
sample. The expected size of a random sample over the entire database of size N is
pN.
The control is easy to implement when p = 1 - 1/2 k. Let r(i) be a function
that maps the ith record into a random sequence of m _> k bits. Let s(C) be a
function that maps formula C into a random sequence of length m over the alpha-
bet (0, 1, ,); this string includes exactly k bits and m - k asterisks (asterisks
denote "don't care"). The ith record is excluded from the sampled query set when-
ever r(i) matches s(C) [a "match" exists whenever each nonasterisk character of
s(C) is the same as the corresponding symbol of r(i)]. The selection function f(C,
i) is thus given by
if r(i) does not match s(C)
f(c, ~) ={ 01 if r(i) matches s(C)
This method applies for p > 1/2 (e.g., p = .5, .75, .875, and .9375). For p < 1/2,
use p = 1/2k; the ith record is included in the sample if and only if r(i) matches
s(C).
Example:
Let p = 7/8, m = 8, and s(C) = ",10,1,**". If r(i) = "11011000" for some
376 INFERENCE CONTROLS
i, that record would match s(C) and be excluded from C*. If r generates
unique random bit sequences, then the expected size of C* is 7/8 that of C. I
1 ~x i .
avg(C, A) - I C[ iEC
rfreq*(C) -
Ic*t
pN
1 ~ Xi"
avg*(C, A) - l C* I i,C*
Note the expected value of I C*l is pl C I; thus, the expected value of the sampled
frequency is lfl/N, the true relative frequency.
The values of p and N may be published so users can judge the significance
of the estimates returned. A user who knows p and N can then compute approxi-
mations for both the sampled and unsampled counts and sums.
A minimum query-set-size restriction is still needed with RSQs if the sam-
piing probability is large. Otherwise, all records in a small query set would be
included in a sample with high probability, making compromise possible.
Compromise is controlled by introducing small sampling errors into the sta-
tistics. For frequencies, the relative error between the sampled frequency and the
true frequency is given by
fc = rfreq*(C) - rfreq(C)
rfreq(C)
The expected relative error is zero; thus, the sampled relative frequency is an
unbiased estimator of the true relative frequency. The root-mean-squared relative
error is
i
MECHANISMS THAT ADD NOISE 377
~¢fc) = i cIp
-P "
Thus, for fixed p, the expected error decreases as the square root of the query-set
size.
Figure 6.17 shows a graph of the error ~(fc) as a function ofl CI for several
values of p. For p > .5, I CI > 100 gives less than a 10% error. For p = .9375, I CI
> 667 gives less than a 1% error. For extremely small query sets, however, the
relative errors may be unacceptably high. Absolute errors for counts are greater
than those for relative frequencies by a factor of N; however, their relative errors
are comparable. The same holds for sums as compared with averages.
The relative error between a sampled average and the true average is
given by:
avg'(C, A) - avg(C, A)
ac = avg(C, A) "
The sampled average is not unbiased, but its bias is negligible. The root-mean-
square error depends on the distribution of the data values in the query set. For
sufficiently large t C l, it is approximately
~(ac) ~ ely(C, A ) R ( f c ) ,
where efv(C, A) = vat(C, A)V~/avg(C, A) is the coefficient of variation for the
distribution of data values of A in C. If the data values are uniformly distributed
over a moderately large interval [1, d] (e.g., d > 10), the root-mean-square error
becomes
A
R(ac) ~ 0.6 R(fc) ,
showing that the relative errors in averages behave the same as in frequencies but
are 40% smaller. These results were confirmed experimentally on a simulated
database.
RSQs control compromise by reducing a questioner's ability to interrogate
the desired query sets precisely. We have studied the extent to which the control
may be circumvented by small query sets, general trackers, and error removal by
averaging. Compromise may be possible with small query sets unless p is small or
a minimum query-set-size restriction is imposed. Trackers, on the other hand, are
no longer a useful tool for compromise.
RSQs appear to be most vulnerable to attacks based on error removal by
averaging. Because the same query always returns the same response, it is neces-
sary to pose different but "equivalent" queries to remove sampling errors. One
method involves averaging the responses of equivalent queries that use different
formulas to specify the same query set.
Example:
The statistic q(Male • 1978) could be estimated from the sampled statistics:
q*(Male • 1978)
1-
o-
CY
i1)
._> H
0
II
c
t~
E
o
o
o
I1)
Q.
X
ILl
m"- o d o o o
t.l.I
0
I.L
378
MECHANISMS THAT ADD NOISE 379
q* ( -~ Female ° 1978 )
q * ( M a l e ° ,~(1979 + 1980 + 1981))
q * ( M a l e ° (Bio ° 1978) + Male ° (,~Bio ° 1978))
II
Schltirer observed that this problem does not arise if s(C) is a function of the query
set C rather than the characteristic formula so that s(C) = s(D) whenever formu-
las C and D are reducible to each other. Still, this would not prevent a second
method of averaging that uses disjoint subsets of query sets.
Example:
The statistic q(Male ° 1978) could be estimated from:
q*(Male • 1978 ° Bio) + q*(Male • 1978 ° .~Bio)
q*(Male ° 1978 • CS) + q*(Male ° 1978 ° .-.~CS)
q*(Male ° 1978 °EE) + q*(Male ° 1978 ° ~EE)
q*(Male ° 1978 ° Psy) + q*(Male ° 1978 ° ,~Psy)
II
3.92 ~ / ( 1 - p) tCI
k = 3.92cr~, = ~ __ p m "
Now, k _< 1/N is required to estimate q to within one record (such accuracy is
required, for example, to estimate relative frequencies for small query sets using
trackers). The number of queries required to achieve this accuracy is
For fixed p, the function grows linearly in[C[. For p = .5, over 450 queries are
required to estimate frequencies for query sets of size 30; over 1500 queries are
required to estimate frequencies for query sets of size 100. For p = .9375, 100
queries are required to estimate frequencies for query sets of size 100.
For averages taken over variables uniformly distributed over a range [1, s],
m > 128(l-p) I C]
P
queries are required to obtain an estimate sufficiently accurate to enable personal
disclosure by a simple tracker attack (more complex linear-system attacks would
require even more queries). This is about an order of magnitude greater than for
frequencies; whereas the relative errors in averages (for uniform distributions) are
lower than in frequencies, more queries are required to obtain estimates accurate
enough to compromise with averages than with frequencies. S. Kurzban observed,
however, that compromise may be easier for skewed distributions, ~vhich would
also have higher relative errors.
For large query sets, the number of queries required to obtain reliable esti-
mates of confidential data under RSQs is large enough to protect against manual
attacks. Nevertheless, a computer might be able to subvert the control by system-
atically generating the necessary queries. Threat monitoring (i.e., keeping a log or
audit trail) is probably necessary to detect this type of systematic attack [Hoff70].
Noise can also be added to the data values directly--either by permanently modi-
fying the data stored in the database, or by temporarily perturbing the data when
it is used in the calculation of some statistic. The first approach is useful for
protecting data published in the form of microstatistics, but it cannot be used in
general-purpose databases where the accuracy of the data is essential for nonsta-
tistical purposes. This section describes a temporary perturbation scheme for gen-
eral-purpose systems. The next section describes data modification for published
microstatistics.
Data perturbation involves perturbing each data value x i used to compute a
statistic q(C) by some function f(xi), and then using x~ = f(xi) in place of x/in the
computation. Beck [Beck80] showed how data perturbation could be integrated
MECHANISMS THAT ADD NOISE 381
into a query-processing system for count, sum, and selection queries. We shall
describe his approach for protecting data released as sums.
Consider the query
S=sum(C,A)= ~ xi .
iEC
Rather than releasing sum(C, A), the system computes and releases
S' = sum'(C, A) = Z x~ , (6.12)
i~C
where
X~-~" X i "~" z l i ( x i -- XC) Jr" Z2 i ,
and Xc = avg(C, A) = sum(C, A)/[ CI is the mean value taken over the query set C,
and z l i and z2~ are independent random variables, generated for each query, with
expected value and variance:
E(zIi) = O V a r ( z l i) = 2a ~
2a ~ ,_
E(z2i) = 0 Var(z2i) = - ~ t X c - ~)2 ,
where .2 = avg(All, A ) is the mean taken over the entire database, and the param-
eter a is constant for all queries. The expected value of S' is E ( S ' ) = S; thus, the
perturbed statistic is an unbiased estimator of the true statistic.
The variance of S' is
Var(S') = 2aZ~r~.[C i + 2aZ(xc - 2) 2 , (6.13)
where
1 Z ( X i -- XC) z
crY-tCI i,C
trs, > a l x i - 2 1 ,
where a s, is the standard deviation of the estimate S'.
Beck defines a value x~ to be safe if it is not possible to obtain an estimate ~
of x~ such that
where c is a parameter of the system. The preceding result shows that it is not
possible to compromise a value x~ using a single query if a _> c.
Beck also shows that it takes a least n = ( a / c ) 2 queries to compromise a
382 INFERENCE CONTROLS
database using any kind of linear-system attack, including those based on error
removal by averaging. Combining these two results, we see that compromise can
be prevented by picking a >> c.
Unfortunately, this has the undesirable side effect of introducing extremely
large errors into the released statistics. Beck solves this problem by introducing a
scheme for changing the z l i and z2 i so that it is possible to achieve an exponential
increase in the number of queries needed to compromise, with less than a linear
increase in the standard deviation of the responses.
Rather than picking a completely new z l i and z 2 i for each record and each
query, z l i and z 2 i are computed from the sum of m independent random variables:
m m
z l i = ~ zlij , z2 i = ~ z2ij ,
j=l j=l
where:
E ( z l ij) = 0 Var(zlij) = 2a2
2a 2 ,_
E(z2ij) = 0 Var(z2/j) - - ~ t x c - 2)2
E ( z 2 i) -- 0 V a r ( z 2 i) - 2ma2
I ct •
This means that the response S' will have variance
Var(S') = 2ma2cFc l C I + 2 m a 2 ( 2 c - 2) 2 ,
so that the standard deviation will be bounded by
trs, > amV21xi - x l .
computed with just a single pass over the data values. Let r(i) be a function that
maps the ith record into a pseudorandom bit pattern, as in the random-sample-
queries control; similarly, let r(S) be a pseudorandom bit pattern of the query S.
We also associate m - 1 bit patterns b2,. • •, b m with the database, where each bj is
changed after every dJ -1 queries. Then zlil is generated using r(i) ~ r(S) as a seed
to a random number generator (where ~ denotes exclusive-or); and for j = 2, . . . ,
m, zlij is generated using r(i) ~ bj as the seed. Similarly, z2~j is generated, using a
different random number generator, where z2~.j is the same as z2ij, except that
Var(z2 ij) = 1 (thus it can be generated without knowing Xc); therefore,
[2a2(2_c_.__E:)2,)1/2 ,
z2ij = \ [ C[ z2ij •
To compute the released statistic in a single pass over the query set, we
observe that
S t = E X~ = E [X i + z l i ( x i - Xc) + z2i]
iEC i~C
[2a2(Ec- E)2) 1/2
Z2*
= S + $1 - E c Z 1 + \ IcI
where:
SI = ~ zl ixi
ieC
Z1 = ~ zzl i
iEC
Z 2 * = Z z2~. .
iEC
° D and D' have the same k-order frequency counts for k = 0, 1. . . . . d, and
2. D and D' have no records in common.
Example:
Table 6.13 shows a 2-transformable database D of student records contain-
ing the three fields Sex, Major, and GP. This database is 2-transformable
384 INFERENCE CONTROLS
because the database D' has the same 0-, 1-, and 2-order statistics. For
example, count(Female • CS) = 1 in both D and D'. Note, however, that 3-
order statistics are not preserved. For example,
1 inD
count(Female°CS°3.0)= 0 inD' . II
Because all 1-order counts must be preserved, D' must contain exactly the
same set of values, and in the same quantities, as D. Thus, D' can be obtained from
D by swapping the values among the records. If swapping is done on a single
attribute A (as in Table 6.13), it suffices to check counts that involve the values of
A to determine whether all low-order statistics are preserved.
Schltirer studied the conditions under which a database D is d-transform-
able; he proved that
He also showed that D must have a recursive structure. Consider each subdatabase
D1 of D consisting of all records having the same value for some attribute A (in O 1
the attribute A is omitted). If D is d-transformable, then 01 must be (d - 1)-
transformable over the remaining attributes.
Example:
Figure 6.18 illustrates the recursive structure of the database D of Table
6.13, where A = Sex. Note that the subdatabase D~' is a 1-transformation of
the subdatabase D1, and vice-versa. 1
Data swapping could be used in two ways. One way would be to take a given
database D, find a d-transformation on D for some suitable choice of d, and then
release the transformed database D'. This method could be used with statistics-
only databases and the publication of microstatistics; it could not be used with
MECHANISMS THAT ADD NOISE 385
Ol
Female Bio 4.0
Female CS 3.0
Female EE 3.0
Female Psy 4.0
Male Bio 3.0
Male CS 4.0
Male EE 4.0
~ Psy 3.0
D;
out regard to preserving more than 0 and 1-order statistics. Some of these tech-
niques are discussed by Dalenius [Dale76] and by Campbell, Boruch, Schwartz,
and Steinberg [Camp77].
Because many individuals fear invasion of their privacy, they do not respond truth-
fully to sensitive survey questions. For example, if an individual is asked "Have
you ever taken drugs for depression?", the individual may lie and respond No,
thereby biasing the results of the survey. Warner [Warn65] introduced a "ran-
domized response" technique to deal with this problem. The technique is applied
at the time the data is gathered--that is, at the time of inquiry.
The basic idea is that the individual is asked to draw a question at random
from a set of questions, where some of the questions are sensitive and some are not.
Then the individual is asked to respond to that question, but to not reveal the
question answered.
Bourke and Dalenius [Bour75] and Dalenius [Dale76] discuss several strate-
gies for doing this. Warner's original scheme is illustrated by the following sample
questions"
The objective of the survey is to determine the percentage of the population who
have taken drugs for depression. The respondent picks one question at random
(e.g., by tossing a coin), and then answers Yes or No. Assuming that the percent-
age of the population born in August is known, the percentage who have taken
drugs for depression can be deduced from the number of Yes answers (see exer-
cises at end of chapter).
Although it is not possible to determine whether an individual has taken
drugs for depression from a Yes answer, a Yes answer might seem potentially more
revealing than a No answer. This lack of symmetry may, therefore, bias the re-
sults, though the bias will be less than if the respondent is given no choice at all
and asked Question 2 directly.
Bourke suggested a symmetric scheme to remove this bias. Here the respon-
dent is asked to draw a card at random from a deck and respond with the number
on the card that describes him. His approach is illustrated next:
Card 1: (1) I have taken drugs for depression.
(2) I have not taken drugs for depression.
Card 2: (1) I was born in August.
(2) I was not born in August.
Card 3: (1) I have not taken drugs for depression.
(2) I have taken drugs for depression.
SUMMARY 387
Because a response of "1" (or "2") is linked to both having taken drugs and not
having taken drugs, an individual might feel less threatened about responding
truthfully to the survey.
Let p; be the proportion of card (i) in the deck (i = 1, 2, 3), let b be the
probability that an individual is born in August. Suppose that N individuals are
surveyed, and that N1 of them respond "1". To determine the probability d that an
individual has taken drugs for depression, we observe that the expected number of
individuals responding "1" is given by
E(1) = [pld + p2b + p3(1 - d ) ] N .
If pl =/= P3, we can solve for d, getting
E(1) p2b - p3
N
d=
Pl - P8
Because N1 is an estimate of E(1), we can estimate d with
N1 _ p2b - P3
~=N
pl - P3
Example:
Let N = 1000, pl = .4, p= - .3, p3 = .3, b = .1, and Nx = 350. Then
d-.2. m
6.6 SUMMARY
EXERCISES
6.7 Prove the cell suppression bound q-(C) defined by Eq. (6.11) is not superad-
ditive by showing that the following may hold:
q-(C) + q-(O) > q-(C + D).
6.8 Let q = 100 + 5 + 5 + 5 + 5 = 120. Show q is sensitive under a 1-
respondent, 75%-dominance sensitivity criterion. Determine a lower bound
on an acceptable upper estimate q+ of q[Eq. (6.10)], and an upper bound on
an acceptable lower estimate q- of q[Eq. (6.11)].
6.9 Given the following table of rounded values, determine the exact values
assuming that systematic rounding base 5 was used.
10 10 1 2 5
I0 10 25
25 25 50
6.10 Karpinski showed it may be possible to subvert a systematic rounding control
when records can be added to the database [Karp70]. As an example, sup-
pose that count(C) = 49 and systematic rounding base 5 is used; thus, the
system returns the value 50 in response to a query for count(C). Show how a
user can determine the true value 49 by adding records that satisfy C to the
database, and posing the query count(C) after each addition. Can this attack
be successfully applied with random rounding?
6.11 Consider Beck's method of data perturbation. Show that S' as defined by Eq.
(6.12) is an unbiased estimator of the true sum S. Derive Eqs. (6.13) and
(6.14) for Var (S').
6.12 Consider the 2-transformable database D in Table 6.13 of Section 6.5.4.
Suppose that a user knows Jane is represented in the database and that Jane
is a CS major. Explain why it is not possible to deduce Jane's GP from 0-, 1-,
and 2-order statistics without supplementary knowledge. Show that it is pos-
sible, however, to deduce Jane's GP if the user knows that her GP is not 4.0.
6.13 Consider the method of randomized response, and suppose that N = 1000
individuals participate in a population survey. Each individual is asked to
toss a coin to determine which of the following questions to answer:
REFERENCES
Liu80. Liu, L., "On Linear Queries in Statistical Databases," The MITRE Corp., Bedford,
Mass. (1980).
Narg72. Nargundkar, M. S. and Saveland, W., "Random Rounding to Prevent Statistical
Disclosure," Proc. Amer. Stat. Assoc., Soc. Stat. Sec., pp. 382-385 (1972).
Olss75. Olsson, L., "Protection of Output and Stored Data in Statistical Databases," ADB-
Information, 4, Statistika Centralbyr~n, Stockholm, Sweden (1975).
Palm74. Palme, J., "Software Security," Datamation Vol. 20(1) pp. 51-55 (Jan. 1974).
Reis77. Reiss, S. B., "Practical Data-Swapping: The First Steps," pp. 38-45 in Proc. 1980
Symp. on Security and Privacy, IEEE Computer Society (Apr. 1980).
Reis78. Reiss, S. B., "Medians and Database Security," pp. 57-92 in Foundations o f
Secure Computation, ed. R. A. DeMillo et al., Academic Press, New York (1978).
Reis79. Reiss, S. B., "The Practicality of Data Swapping," Technical Report No. CS-48,
Dept. of Computer Science, Brown Univ., Providence, R.I. (1979).
Sand77. Sande, G., "Towards Automated Disclosure Analysis for Establishment Based
Statistics," Statistics Canada (1977).
Sch175. Schlt~rer, J., "Identification and Retrieval of Personal Records from a Statistical
Data Bank," Methods Inf. Med. Vol. 14(1) pp. 7-i3 (Jan. 1975).
Sch176. Schltirer, J., "Confidentiality of Statistical Records: A Threat Monitoring Scheme
for On-Line Dialogue," Meth. Inf. Med., Vol. 15(1), pp. 36-42 (1976).
Sch177. Schltirer, J., "Confidentiality and Security in Statistical Data Banks," pp. 101-123
in Data Documentation: Some Principles and Applications in Science and Industry;
Proc. Workshop on Data Documentation, ed. W. Guas and R. Henzler, Verlag Do-
kumentation, Munich, Germany (1977).
Schl80. Schlt~rer, J., "Disclosure from Statistical Databases: Quantitative Aspects of
Trackers," ACM Trans. on Database Syst. Vol. 5(4) pp. 467-492 (Dec. 1980).
Schl81. Schltirer, J., "Security of Statistical Databases: Multidimensional Transforma-
tion," ACM Trans. on Database Syst. Vol. 6(1) pp. 95-112 (Mar. 1981).
Schw77. Schwartz, M. D., "Inference from Statistical Data Bases," Ph.D. Thesis, Comput-
er Sciences Dept., Purdue Univ., W. Lafayette, Ind. (Aug. 1977).
Schw79. Schwartz, M..D., Denning, D. E., and Denning, P. J., "Linear Queries in Statisti-
cal Databases," ACM Trans. on Database Syst. Vol. 4(1) pp. 476-482 (Mar. 1979).
Smit77. Smith, J. M. and Smith, D. C. P., "Database Abstractions: Aggregation and
Generalization," ACM Trans. on Database Syst. Vol. 2(2) pp. 105-133 (June 1977).
U.S.78. U.S. Dept. of Commerce, "Report on Statistical Disclosure and Disclosure-Avoid-
ance Techniques," U.S. Government Printing Office, Washington, D.C. (1978).
Warn65. Warner, S. L., "Randomized Response: A Technique for Eliminating Evasive
Answer Bias," J. Amer. Stat. Assoc. Vol. 60 pp. 63-69 (1965).
Yu77. Yu, C. T. and Chin, E Y., "A Study on the Protection of Statistical Databases,"
Proc. ACM SIGMOD Int. Conf. Management of Data, pp. 169-181 (1977).
Index